Made check for MIME type "image/svg+xml" case insensitive

It was possible to bypass this check by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
This check was originally implemented to address CVE-2022-30110.

Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Georges TAUPIN (jo) (https://www.georgestaupin.com/)

diff --git a/lib/functions.php b/lib/functions.php
index 9091af7d3b27772de8d0df99d197b34a01cbfb9d..03725073dae490118cf8ae4837578c99e4d58e03 100644 (file)
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime)
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);
-        if (in_array($decomposed[0], $viewable) && strpos($mime, 'image/svg+xml') === false) {
+        if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) {
             return true;
         }
         $viewable = array('text/plain');