CVE-2023-23937: [Task]: Mime type check on Profile Avatar upload (#14125) · pimcore/pimcore@75a448e

@@ -21,12 +21,14 @@ use Pimcore\Bundle\AdminBundle\HttpFoundation\JsonResponse; use Pimcore\Controller\KernelControllerEventInterface; use Pimcore\Logger; use Pimcore\Model\Asset; use Pimcore\Model\DataObject; use Pimcore\Model\Element; use Pimcore\Model\User; use Pimcore\Tool; use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface; use Symfony\Component\HttpFoundation\BinaryFileResponse; use Symfony\Component\HttpFoundation\File\UploadedFile; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface; @@ -797,6 +799,15 @@ public function uploadImageAction(Request $request) throw $this->createAccessDeniedHttpException(‘Only admin users are allowed to modify admin users’); }
//Check if uploaded file is an image $avatarFile = $request->files->get(‘Filedata’);
$assetType = Asset::getTypeFromMimeMapping($avatarFile->getMimeType(), $avatarFile);
if (!$avatarFile instanceof UploadedFile || $assetType !== ‘image’) { throw new \Exception(‘Unsupported file format.’); }
$userObj->setImage($_FILES[‘Filedata’][‘tmp_name’]);
// set content-type to text/html, otherwise (when application/json is sent) chrome will complain in