From: Patrick Canterino Date: Mon, 16 Jun 2025 09:58:15 +0000 (+0200) Subject: Check for commas in MIME type before generating preview X-Git-Tag: 4.6.3~2^2~1 X-Git-Url: https://git.p6c8.net/jirafeau/jirafeau.git/commitdiff_plain/79464ec6276e8eb0e0b0ad597db02b85080d2b63?hp=--cc Check for commas in MIME type before generating preview It was possible to bypass the preview check by sending a manipulated HTTP request with a MIME type like "image/png,text/html". When parsing the Content-Type of a HTTP response, browsers see multiple MIME types, and the last one, text/html, takes precedence, allowing to execute potentially harmful JavaScript code. This check was originally implemented to address CVE-2022-30110 then CVE-2024-12326. Reported by: - Yann CAM (ycam) (https://yann.cam/) - Killian CHEVRIER (palmier) (https://killianchevrier.fr/) --- 79464ec6276e8eb0e0b0ad597db02b85080d2b63 diff --git a/lib/functions.php b/lib/functions.php index 7ac4c9e..f9fbd9b 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime) if (!empty($mime)) { $viewable = array('image', 'video', 'audio'); $decomposed = explode('/', $mime); - if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) { + if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false && strpos($mime, ',') === false) { return true; } $viewable = array('text/plain');