fdsagfds
This commit is contained in:
@@ -92,12 +92,19 @@ const parseMultipartFiles = (buffer, boundary) => {
|
|||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Build the allowed MIME list for comment uploads (image/*, video/*, audio/*).
|
* Build the allowed MIME list for comment uploads.
|
||||||
* Filters from cfg.mimes, excluding PDF, SWF, etc.
|
* Respects cfg.websrv.fileupload_comments_mimes (e.g. ["image", "video", "audio"]) to
|
||||||
|
* allow a different set of categories than the global allowedMimes used for page uploads.
|
||||||
|
* Falls back to image/video/audio if the setting is absent.
|
||||||
*/
|
*/
|
||||||
const getAllowedCommentMimes = () => {
|
const getAllowedCommentMimes = () => {
|
||||||
|
const allowedCats = Array.isArray(cfg.websrv.fileupload_comments_mimes)
|
||||||
|
? cfg.websrv.fileupload_comments_mimes.map(c => c.toLowerCase())
|
||||||
|
: ['image', 'video', 'audio'];
|
||||||
return Object.keys(cfg.mimes).filter(mime =>
|
return Object.keys(cfg.mimes).filter(mime =>
|
||||||
mime.startsWith('image/') || mime.startsWith('video/') || mime.startsWith('audio/')
|
allowedCats.some(cat =>
|
||||||
|
cat.includes('/') ? mime === cat : mime.startsWith(`${cat}/`)
|
||||||
|
)
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -1147,6 +1147,7 @@ process.on('uncaughtException', err => {
|
|||||||
fileupload_comments_size: cfg.websrv.fileupload_comments_size || (10 * 1024 * 1024),
|
fileupload_comments_size: cfg.websrv.fileupload_comments_size || (10 * 1024 * 1024),
|
||||||
fileupload_comments_max: cfg.websrv.fileupload_comments_max || 5,
|
fileupload_comments_max: cfg.websrv.fileupload_comments_max || 5,
|
||||||
fileupload_comments_mode: cfg.websrv.fileupload_comments_mode || 'attachment',
|
fileupload_comments_mode: cfg.websrv.fileupload_comments_mode || 'attachment',
|
||||||
|
fileupload_comments_mimes: Array.isArray(cfg.websrv.fileupload_comments_mimes) ? cfg.websrv.fileupload_comments_mimes : ['image', 'video', 'audio'],
|
||||||
|
|
||||||
get fonts() {
|
get fonts() {
|
||||||
try {
|
try {
|
||||||
|
|||||||
@@ -157,7 +157,18 @@ export const handleUpload = async (req, res, self) => {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Validate MIME type
|
// Validate MIME type
|
||||||
const allowedMimes = Object.keys(cfg.mimes);
|
// cfg.allowedMimes entries can be category prefixes ("image", "video", "audio")
|
||||||
|
// OR exact MIME types ("application/pdf"). Entries with "/" are matched exactly.
|
||||||
|
const allowedCats = Array.isArray(cfg.allowedMimes)
|
||||||
|
? cfg.allowedMimes.map(c => c.toLowerCase())
|
||||||
|
: null;
|
||||||
|
const allowedMimes = allowedCats
|
||||||
|
? Object.keys(cfg.mimes).filter(m =>
|
||||||
|
allowedCats.some(cat =>
|
||||||
|
cat.includes('/') ? m === cat : m.startsWith(`${cat}/`)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
: Object.keys(cfg.mimes);
|
||||||
let mime = file.contentType;
|
let mime = file.contentType;
|
||||||
|
|
||||||
if (!allowedMimes.includes(mime)) {
|
if (!allowedMimes.includes(mime)) {
|
||||||
@@ -224,7 +235,7 @@ export const handleUpload = async (req, res, self) => {
|
|||||||
// Save temporarily to detect actual MIME
|
// Save temporarily to detect actual MIME
|
||||||
await fs.writeFile(tmpPath, file.data);
|
await fs.writeFile(tmpPath, file.data);
|
||||||
|
|
||||||
// Verify MIME
|
// Verify actual MIME (second check after file-command detection)
|
||||||
let actualMime = (await queue.spawn('file', ['--mime-type', '-b', tmpPath])).stdout.trim();
|
let actualMime = (await queue.spawn('file', ['--mime-type', '-b', tmpPath])).stdout.trim();
|
||||||
if (!allowedMimes.includes(actualMime)) {
|
if (!allowedMimes.includes(actualMime)) {
|
||||||
await fs.unlink(tmpPath).catch(() => { });
|
await fs.unlink(tmpPath).catch(() => { });
|
||||||
|
|||||||
Reference in New Issue
Block a user