Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autodetect MIME type of uploaded message files? #716

Closed
mpkut opened this issue Aug 1, 2019 · 2 comments
Closed

Autodetect MIME type of uploaded message files? #716

mpkut opened this issue Aug 1, 2019 · 2 comments
Labels
enhancement

Comments

@mpkut
Copy link
Contributor

mpkut commented Aug 1, 2019

The Send an html page option in the wwsympa Post panel allows the user to upload a file that is treated as HTML news letter content. However if a JPG or other image file is uploaded by mistake, the Content-Type header of the message remains "text/html". In that case subscribers receive a base64 encoded document containing what appears to be random noise.

It seems useful to do some content type detection on the uploaded file, and update the message headers to suit. Perhaps some content types should be rejected.

Before we start coding anything to submit along these lines, we have a Perl module bundling question. While we hesitate to suggest adding yet another Perl module requirement to Sympa, File::LibMagic may be a good choice for the task. The module has seen relatively recent updates and is bundled with RHEL 7/CentOS 7 and at least Fedora 30. Would it be agreeable for us to use this module to try to implement content detection for HTML news letter files?
@ikedas
Copy link
Member

ikedas commented Aug 5, 2019

MIME content type may be restricted by doing like:

diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in
index 04436b5..376f863 100644
--- a/src/cgi/wwsympa.fcgi.in
+++ b/src/cgi/wwsympa.fcgi.in
@@ -14692,8 +14692,11 @@ sub do_send_mail {
         my $page_source;
         if ($in{'uploaded_file'} =~ /\S/) {
             my $fh = $query->upload('uploaded_file');
-            unless ($fh) {
-                wwslog('err', 'Can\'t upload %s', $in{'uploaded_file'});
+            my $ctype = $query->uploadInfo($fh)->{'Content-Type'}
+                if $fh;
+            unless ($ctype and lc $ctype eq 'text/html') {
+                wwslog('err', 'Can\'t upload %s (%s)', $in{'uploaded_file'},
+                    $ctype || 'unknown type');
                 Sympa::WWW::Report::reject_report_web(
                     'intern',
                     'cannot_upload',

However, it will be easily outwitted.

@mpkut
Copy link
Contributor Author

mpkut commented Aug 5, 2019

This change seems like an improvement on its own and would cover the most common cases of uploading an image file by mistake. There may still be room to consider whether it would be worthwhile to inspect the contents of the uploaded file as well. That's where a "magic cookie" module seemed like a good fit, but not without agreement from the development team on which of the likely available modules would be agreeable.

Thank you!

@ikedas ikedas mentioned this issue Aug 7, 2019
Merged
ikedas added a commit that referenced this issue Aug 8, 2019
@ikedas
Merge pull request #721 from ikedas/issue-716_02mime by ikedas
9089acb 
WWSympa: send_mail: Restrict MIME content type of uploaded HTML text (#716)
@ikedas ikedas closed this as completed Aug 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikedas @mpkut