diff options
author | Vincent Petry <pvince81@owncloud.com> | 2016-10-26 00:50:29 +0300 |
---|---|---|
committer | Thomas Müller <DeepDiver1975@users.noreply.github.com> | 2016-10-26 00:50:29 +0300 |
commit | 6accf54d906afb55eb69c0a04ec165d3c0cff037 (patch) | |
tree | e08a84e17d2fa9580d46c27023a10d626ad14e67 | |
parent | a5f724753694772e1f23c5d028c6aea03b0a2ca2 (diff) |
[stable9.1] Merge pull request #26459 from owncloud/limit-carddav-image-export-mime-types (#26484)
Limit carddav image export mime types
-rw-r--r-- | apps/dav/lib/carddav/imageexportplugin.php | 10 | ||||
-rw-r--r-- | apps/dav/tests/unit/carddav/imageexportplugintest.php | 16 |
2 files changed, 18 insertions, 8 deletions
diff --git a/apps/dav/lib/carddav/imageexportplugin.php b/apps/dav/lib/carddav/imageexportplugin.php index fcd36b3ff35..1a0e99b28e7 100644 --- a/apps/dav/lib/carddav/imageexportplugin.php +++ b/apps/dav/lib/carddav/imageexportplugin.php @@ -86,6 +86,7 @@ class ImageExportPlugin extends ServerPlugin { if ($result = $this->getPhoto($node)) { $response->setHeader('Content-Type', $result['Content-Type']); + $response->setHeader('Content-Disposition', 'attachment'); $response->setStatus(200); $response->setBody($result['body']); @@ -120,6 +121,11 @@ class ImageExportPlugin extends ServerPlugin { } $val = file_get_contents($val); } + + if (!in_array($type, ['image/png', 'image/jpeg', 'image/gif'])) { + $type = 'application/octet-stream'; + } + return [ 'Content-Type' => $type, 'body' => $val @@ -136,7 +142,7 @@ class ImageExportPlugin extends ServerPlugin { /** * @param Binary $photo - * @return Parameter + * @return string */ private function getType($photo) { $params = $photo->parameters(); @@ -151,6 +157,6 @@ class ImageExportPlugin extends ServerPlugin { return 'image/' . strtolower($type); } } - return ''; + return 'application/octet-stream'; } } diff --git a/apps/dav/tests/unit/carddav/imageexportplugintest.php b/apps/dav/tests/unit/carddav/imageexportplugintest.php index 3a9dc144584..25a367cbd94 100644 --- a/apps/dav/tests/unit/carddav/imageexportplugintest.php +++ b/apps/dav/tests/unit/carddav/imageexportplugintest.php @@ -92,7 +92,7 @@ class ImageExportPluginTest extends TestCase { * @param bool $expected * @param array $getPhotoResult */ - public function testCardWithOrWithoutPhoto($expected, $getPhotoResult) { + public function testCardWithOrWithoutPhoto($expectedContentType, $getPhotoResult) { $this->request->expects($this->once())->method('getQueryParameters')->willReturn(['photo' => true]); $this->request->expects($this->once())->method('getPath')->willReturn('/files/welcome.txt'); @@ -101,20 +101,22 @@ class ImageExportPluginTest extends TestCase { $this->plugin->expects($this->once())->method('getPhoto')->willReturn($getPhotoResult); - if (!$expected) { - $this->response->expects($this->once())->method('setHeader'); - $this->response->expects($this->once())->method('setStatus'); + if (is_string($expectedContentType)) { + $this->response->expects($this->exactly(2))->method('setHeader')->withConsecutive( + ['Content-Type', $expectedContentType], + ['Content-Disposition', 'attachment']); + $this->response->expects($this->once())->method('setStatus')->with(200); $this->response->expects($this->once())->method('setBody'); } $result = $this->plugin->httpGet($this->request, $this->response); - $this->assertEquals($expected, $result); + $this->assertEquals(!is_string($expectedContentType), $result); } public function providesCardWithOrWithoutPhoto() { return [ [true, null], - [false, ['Content-Type' => 'image/jpeg', 'body' => '1234']], + ['image/jpeg', ['Content-Type' => 'image/jpeg', 'body' => '1234']], ]; } @@ -143,6 +145,8 @@ class ImageExportPluginTest extends TestCase { 'vcard 3 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"], 'vcard 4 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/jpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"], 'vcard 4 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"], + 'vcard 3 with bad PHOTO' => [['Content-Type' => 'application/octet-stream', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 4.1.1//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=TXT:MTIzNDU=\r\nEND:VCARD\r\n"], + 'vcard 4 with bad PHOTO' => [['Content-Type' => 'application/octet-stream', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 4.1.1//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:video/mpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"], ]; } } |