From 79464ec6276e8eb0e0b0ad597db02b85080d2b63 Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Mon, 16 Jun 2025 11:58:15 +0200
Subject: [PATCH] Check for commas in MIME type before generating preview

It was possible to bypass the preview check by sending a manipulated HTTP request with a MIME type like "image/png,text/html".
When parsing the Content-Type of a HTTP response, browsers see multiple MIME types, and the last one, text/html, takes precedence, allowing to execute potentially harmful JavaScript code.

This check was originally implemented to address CVE-2022-30110 then CVE-2024-12326.

Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Killian CHEVRIER (palmier) (https://killianchevrier.fr/)
---
 lib/functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.php b/lib/functions.php
index 7ac4c9e..f9fbd9b 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime)
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);
-        if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) {
+        if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false && strpos($mime, ',') === false) {
             return true;
         }
         $viewable = array('text/plain');
-- 
2.43.0