mirror of https://github.com/MISP/MISP
fix: [security] Improved security checks for organisation logo upload
- As reported by Andrei Agape / Teliacompany Checks are: - Maximum file size of 250K since the recommanded picture size is 48x48. - File extension check - File mime type checkspull/9538/head
parent
51840a0697
commit
312d2d5422
|
@ -481,6 +481,25 @@ class OrganisationsController extends AppController
|
|||
$extension = pathinfo($logo['name'], PATHINFO_EXTENSION);
|
||||
$filename = $orgId . '.' . ($extension === 'svg' ? 'svg' : 'png');
|
||||
|
||||
if ($logo['size'] > 250*1024) {
|
||||
$this->Flash->error(__('This organisation logo is too large, maximum file size allowed is 250kB.'));
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($extension !== 'svg' && $extension !== 'png') {
|
||||
$this->Flash->error(__('Invalid file extension, Only PNG and SVG images are allowed.'));
|
||||
return false;
|
||||
}
|
||||
|
||||
$imgMime = mime_content_type($logo['tmp_name']);
|
||||
if ($extension === 'png' && !exif_imagetype($logo['tmp_name'])) {
|
||||
$this->Flash->error(__('This is not a valid PNG image.'));
|
||||
return false;
|
||||
} else if ($extension === 'svg' && !($imgMime === 'image/svg+xml' || $imgMime === 'image/svg')) {
|
||||
$this->Flash->error(__('This is not a valid SVG image.'));
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($extension === 'svg' && !Configure::read('Security.enable_svg_logos')) {
|
||||
$this->Flash->error(__('Invalid file extension, SVG images are not allowed.'));
|
||||
return false;
|
||||
|
|
Loading…
Reference in New Issue