Check for mimetype during template upload

Signed-off-by: Julius Härtl <jus@bitgrid.net>

2 files changed, 23 insertions, 7 deletions

diff --git a/lib/Controller/TemplatesController.php b/lib/Controller/TemplatesController.php
index 548c3528..1724f660 100644
--- a/lib/Controller/TemplatesController.php
+++ b/lib/Controller/TemplatesController.php
@@ -135,6 +135,13 @@ class TemplatesController extends Controller {
 					);
 				}
 
+				if (!$this->manager->isValidTemplateMime($files['type'][0])) {
+					return new JSONResponse(
+						['data' => ['message' => $this->l10n->t('Only template files can be uploaded')]],
+						Http::STATUS_BAD_REQUEST
+					);
+				}
+
 				$templateName = $files['name'][0];
 				$templateFile = file_get_contents($files['tmp_name'][0]);
 
diff --git a/lib/TemplateManager.php b/lib/TemplateManager.php
index 06113733..2c5e33bb 100644
--- a/lib/TemplateManager.php
+++ b/lib/TemplateManager.php
@@ -203,13 +203,7 @@ class TemplateManager {
 				return false;
 			}
 
-			if ($type !== null && !in_array($templateFile->getMimeType(), self::$tplTypes[$type])) {
-				return false;
-			}
-
-			//Todo validate mimetypes etc
-
-			return true;
+			return $this->isValidTemplateMime($templateFile->getMimeType(), $type);
 		});
 	}
 
@@ -489,4 +483,19 @@ class TemplateManager {
 			'extension' => $ooxml ? self::TYPE_EXTENSION_OOXML[$documentType] : self::TYPE_EXTENTION[$documentType],
 		];
 	}
+
+	public function isValidTemplateMime($mime, $type = null) {
+		if ($type === null) {
+			$allMimes = array_merge(self::$tplTypes['document'], self::$tplTypes['spreadsheet'], self::$tplTypes['presentation']);
+			if (!in_array($mime, $allMimes)) {
+				return false;
+			}
+		}
+
+		if ($type !== null && !in_array($mime, self::$tplTypes[$type])) {
+			return false;
+		}
+
+		return true;
+	}
 }