changeset 3003:e624550d5c24

plugin XEP-0054: reject image without MIME type if it's not PNG
author Goffi <goffi@goffi.org>
date Sun, 14 Jul 2019 16:43:04 +0200
parents 6acaa8244220
children d86cddc1cd05
files sat/plugins/plugin_xep_0054.py
diffstat 1 files changed, 14 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/sat/plugins/plugin_xep_0054.py	Sun Jul 14 11:23:25 2019 +0200
+++ b/sat/plugins/plugin_xep_0054.py	Sun Jul 14 16:43:04 2019 +0200
@@ -234,12 +234,13 @@
         try:
             mime_type = unicode(photo_elt.elements(NS_VCARD, "TYPE").next())
         except StopIteration:
-            log.warning(u"no MIME type found, assuming image/png")
-            mime_type = u"image/png"
+            mime_type = None
         else:
             if not mime_type:
-                log.warning(u"empty MIME type, assuming image/png")
-                mime_type = u"image/png"
+                # MIME type not know, we'll only support PNG files
+                # TODO: autodetection using e.g. "magic" module
+                #       (https://pypi.org/project/python-magic/)
+                mime_type = None
             elif mime_type not in ("image/gif", "image/jpeg", "image/png"):
                 if mime_type == "image/x-png":
                     # XXX: this old MIME type is still used by some clients
@@ -270,6 +271,15 @@
         if not buf:
             log.warning(u"empty avatar for {jid}".format(jid=entity_jid.full()))
             raise Failure(exceptions.NotFound())
+        if mime_type is None:
+            log.warning(_(u"no MIME type found for {entity}'s avatar, assuming image/png")
+                .format(entity=entity_jid.full()))
+            if buf[:8] != b'\x89\x50\x4e\x47\x0d\x0a\x1a\x0a':
+                log.warning(u"this is not a PNG file, ignoring it")
+                raise Failure(exceptions.DataError())
+            else:
+                mime_type = u"image/png"
+
         log.debug(_(u"Decoding binary"))
         decoded = b64decode(buf)
         del buf