More fixes for InstanceStatic
This commit is contained in:
Lain Soykaf
parent
1dd9ba5d6f
commit
b1309bdb40
3 changed files with 66 additions and 1 deletions
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
defmodule Pleroma.Web.Plugs.InstanceStatic do
|
||||
require Pleroma.Constants
|
||||
import Plug.Conn, only: [put_resp_header: 3]
|
||||
|
||||
@moduledoc """
|
||||
This is a shim to call `Plug.Static` but with runtime `from` configuration.
|
||||
|
|
@ -44,10 +45,31 @@ defmodule Pleroma.Web.Plugs.InstanceStatic do
|
|||
end
|
||||
|
||||
defp call_static(conn, opts, from) do
|
||||
# Prevent content-type spoofing by setting content_types: false
|
||||
opts =
|
||||
opts
|
||||
|> Map.put(:from, from)
|
||||
|> Map.put(:content_types, false)
|
||||
|
||||
# Get sanitized content type before calling Plug.Static
|
||||
# Include "text" to allow HTML files and other text-based content
|
||||
allowed_mime_types =
|
||||
Pleroma.Config.get([Pleroma.Upload, :allowed_mime_types], [
|
||||
"image",
|
||||
"audio",
|
||||
"video",
|
||||
"text"
|
||||
])
|
||||
|
||||
conn = set_content_type(conn, %{allowed_mime_types: allowed_mime_types}, conn.request_path)
|
||||
|
||||
# Call Plug.Static with our sanitized content-type
|
||||
Plug.Static.call(conn, opts)
|
||||
end
|
||||
|
||||
defp set_content_type(conn, opts, filepath) do
|
||||
real_mime = MIME.from_path(filepath)
|
||||
clean_mime = Pleroma.Web.Plugs.Utils.get_safe_mime_type(opts, real_mime)
|
||||
put_resp_header(conn, "content-type", clean_mime)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue