bookstack/app/Util/WebSafeMimeSniffer.php

<?php

namespace BookStack\Util;

use finfo;

/**
 * Helper class to sniff out the mime-type of content resulting in
 * a mime-type that's relatively safe to serve to a browser.
 */
class WebSafeMimeSniffer
{
    /**
     * @var string[]
     */
    protected array $safeMimes = [
        'application/json',
        'application/octet-stream',
        'application/pdf',
        'audio/aac',
        'audio/midi',
        'audio/mpeg',
        'audio/ogg',
        'audio/opus',
        'audio/wav',
        'audio/webm',
        'audio/x-m4a',
        'image/apng',
        'image/bmp',
        'image/jpeg',
        'image/png',
        'image/gif',
        'image/webp',
        'image/avif',
        'image/heic',
        'text/css',
        'text/csv',
        'text/javascript',
        'text/json',
        'text/plain',
        'video/x-msvideo',
        'video/mp4',
        'video/mpeg',
        'video/ogg',
        'video/webm',
        'video/vp9',
        'video/h264',
        'video/av1',
    ];

    protected array $textTypesByExtension = [
        'css' => 'text/css',
        'js' => 'text/javascript',
        'json' => 'application/json',
        'csv' => 'text/csv',
    ];

    /**
     * Sniff the mime-type from the given file content while running the result
     * through an allow-list to ensure a web-safe result.
     * Takes the content as a reference since the value may be quite large.
     * Accepts an optional $extension which can be used for further guessing.
     */
    public function sniff(string &$content, string $extension = ''): string
    {
        $fInfo = new finfo(FILEINFO_MIME_TYPE);
        $mime = $fInfo->buffer($content) ?: 'application/octet-stream';

        if ($mime === 'text/plain' && $extension) {
            $mime = $this->textTypesByExtension[$extension] ?? 'text/plain';
        }

        if (in_array($mime, $this->safeMimes)) {
            return $mime;
        }

        [$category] = explode('/', $mime, 2);
        if ($category === 'text') {
            return 'text/plain';
        }

        return 'application/octet-stream';
    }
}
Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`<?php`

			`namespace BookStack\Util;`

			`use finfo;`

			`/**`
			`* Helper class to sniff out the mime-type of content resulting in`
			`* a mime-type that's relatively safe to serve to a browser.`
			`*/`
			`class WebSafeMimeSniffer`
			`{`
			`/**`
			`* @var string[]`
			`*/`
Themes: Added testing and better mime sniffing for public serving Existing mime sniffer wasn't great at distinguishing between plaintext file types, so added a custom extension based mapping for common web formats that may be expected to be used with this. 2025-01-14 00:51:07 +08:00			`protected array $safeMimes = [`
Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`'application/json',`
			`'application/octet-stream',`
			`'application/pdf',`
Added audio mimes to our safe list for inline serving Closes #3485 2022-06-09 05:30:23 +08:00			`'audio/aac',`
			`'audio/midi',`
			`'audio/mpeg',`
			`'audio/ogg',`
			`'audio/opus',`
			`'audio/wav',`
			`'audio/webm',`
Extracted download response logic to its own class Cleans up base controller and groups up download & streaming logic for potential future easier addition of range request support. 2022-06-09 06:50:42 +08:00			`'audio/x-m4a',`
Added detection and thumbnail bypass for apng images Adds apng sniffing when generating thumbnails with retained ratios to serve the original image files, as we do for GIF images, to prevent the image being resized to a static version. Is more tricky than GIF since apng file mimes and extensions are the same as png, we have to detect part of the file header to sniff the type. Means we have to sniff at a later stage than GIF since we have to load the image file data. Made some changes to the image thubmnail caching while doing this work to fit in with this handling. Added test to cover. For #3136. 2022-01-04 21:10:35 +08:00			`'image/apng',`
Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`'image/bmp',`
			`'image/jpeg',`
			`'image/png',`
			`'image/gif',`
			`'image/webp',`
			`'image/avif',`
			`'image/heic',`
			`'text/css',`
			`'text/csv',`
			`'text/javascript',`
			`'text/json',`
			`'text/plain',`
			`'video/x-msvideo',`
			`'video/mp4',`
			`'video/mpeg',`
			`'video/ogg',`
			`'video/webm',`
			`'video/vp9',`
			`'video/h264',`
			`'video/av1',`
			`];`

Themes: Added testing and better mime sniffing for public serving Existing mime sniffer wasn't great at distinguishing between plaintext file types, so added a custom extension based mapping for common web formats that may be expected to be used with this. 2025-01-14 00:51:07 +08:00			`protected array $textTypesByExtension = [`
			`'css' => 'text/css',`
			`'js' => 'text/javascript',`
			`'json' => 'application/json',`
			`'csv' => 'text/csv',`
			`];`

Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`/**`
			`* Sniff the mime-type from the given file content while running the result`
			`* through an allow-list to ensure a web-safe result.`
			`* Takes the content as a reference since the value may be quite large.`
Themes: Added testing and better mime sniffing for public serving Existing mime sniffer wasn't great at distinguishing between plaintext file types, so added a custom extension based mapping for common web formats that may be expected to be used with this. 2025-01-14 00:51:07 +08:00			`* Accepts an optional $extension which can be used for further guessing.`
Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`*/`
Themes: Added testing and better mime sniffing for public serving Existing mime sniffer wasn't great at distinguishing between plaintext file types, so added a custom extension based mapping for common web formats that may be expected to be used with this. 2025-01-14 00:51:07 +08:00			`public function sniff(string &$content, string $extension = ''): string`
Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`{`
			`$fInfo = new finfo(FILEINFO_MIME_TYPE);`
			`$mime = $fInfo->buffer($content) ?: 'application/octet-stream';`

Themes: Added testing and better mime sniffing for public serving Existing mime sniffer wasn't great at distinguishing between plaintext file types, so added a custom extension based mapping for common web formats that may be expected to be used with this. 2025-01-14 00:51:07 +08:00			`if ($mime === 'text/plain' && $extension) {`
			`$mime = $this->textTypesByExtension[$extension] ?? 'text/plain';`
			`}`

Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 2021-11-01 01:58:56 +08:00			`if (in_array($mime, $this->safeMimes)) {`
			`return $mime;`
			`}`

			`[$category] = explode('/', $mime, 2);`
			`if ($category === 'text') {`
			`return 'text/plain';`
			`}`

			`return 'application/octet-stream';`
			`}`
Applied latest styleci changes 2021-11-01 21:26:02 +08:00			`}`