Changeset View
Changeset View
Standalone View
Standalone View
src/app/Backends/Storage.php
Show First 20 Lines • Show All 120 Lines • ▼ Show 20 Lines | public static function fileInput($stream, array $params, Item $file = null): array | ||||
if ($file->type & Item::TYPE_INCOMPLETE) { | if ($file->type & Item::TYPE_INCOMPLETE) { | ||||
$file->type -= Item::TYPE_INCOMPLETE; | $file->type -= Item::TYPE_INCOMPLETE; | ||||
$file->save(); | $file->save(); | ||||
} | } | ||||
// Update the file type and size information | // Update the file type and size information | ||||
$file->setProperties([ | $file->setProperties([ | ||||
'size' => $fileSize, | 'size' => $fileSize, | ||||
'mimetype' => self::mimetype($path), | // Pick the client-supplied mimetype if available, otherwise detect. | ||||
'mimetype' => !empty($params['mimetype']) ? $params['mimetype'] : self::mimetype($path), | |||||
machniak: I'm not sure we should trust the client in this. This potentially might become a security issue. | |||||
Done Inline ActionsThere may be a security argument to be had, but the client just has better mimetype info in the case of image uploads it seems. Also, I think generally mimetype info is just file-metadata that the client should supply, because it's just not included in the actual file. Doing security checks such as "you may not supply a file that doesn't match the mime-type" might an interesting enhancement, but I don't think the mimetype deduction logic is currently there, and I think we should do it in a separate step. mollekopf: There may be a security argument to be had, but the client just has better mimetype info in the… | |||||
]); | ]); | ||||
// Assign the node to the file, "unlink" any old nodes of this file | // Assign the node to the file, "unlink" any old nodes of this file | ||||
$file->chunks()->delete(); | $file->chunks()->delete(); | ||||
$file->chunks()->create([ | $file->chunks()->create([ | ||||
'chunk_id' => $chunkId, | 'chunk_id' => $chunkId, | ||||
'sequence' => 0, | 'sequence' => 0, | ||||
'size' => $fileSize, | 'size' => $fileSize, | ||||
▲ Show 20 Lines • Show All 156 Lines • Show Last 20 Lines |
I'm not sure we should trust the client in this. This potentially might become a security issue.