Skip to content

Commit

Permalink
AB#1005 Improve MIME type checks
Browse files Browse the repository at this point in the history
If the MIME type suggested by the browser when creating an attachment
differs from the detected MIME type based on the uploaded attachment contents,
update the MIME type if the detected MIME type is also allowed.
This helps with container formats like HEIC/HEIF, where the browser may
not be able to accurately guess the actual format based on just the
filename extension.
  • Loading branch information
gjvoosten committed Dec 21, 2023
1 parent bc1c51a commit d93c386
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 9 deletions.
11 changes: 9 additions & 2 deletions src/main/java/mil/dds/anet/database/AttachmentDao.java
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,7 @@ public int updateInternal(Attachment obj) {
+ "UPDATE \"attachments\" SET \"mimeType\" = :mimeType, \"fileName\" = :fileName, "
+ "\"description\" = :description, \"classification\" = :classification, "
+ "\"caption\" = :caption, \"updatedAt\" = :updatedAt WHERE uuid = :uuid")
.bindBean(obj).bind("updatedAt", DaoUtils.asLocalDateTime(obj.getUpdatedAt()))
.bind("updatedAt", DaoUtils.asLocalDateTime(obj.getUpdatedAt())).execute();
.bindBean(obj).bind("updatedAt", DaoUtils.asLocalDateTime(obj.getUpdatedAt())).execute();
}

@Override
Expand All @@ -105,6 +104,14 @@ public int deleteInternal(String uuid) {
.bind("uuid", uuid).mapTo(Integer.class).one();
}

@InTransaction
public int updateMimeType(Attachment obj) {
return getDbHandle()
.createUpdate("/* updateAttachmentMimeType */ "
+ "UPDATE \"attachments\" SET \"mimeType\" = :mimeType WHERE uuid = :uuid")
.bindBean(obj).execute();
}

public interface AttachmentContent {
@SqlUpdate("UPDATE attachments SET content = :content WHERE uuid = :uuid")
void updateContent(@Bind("uuid") String uuid, @Bind("content") InputStream content);
Expand Down
24 changes: 17 additions & 7 deletions src/main/java/mil/dds/anet/resources/AttachmentResource.java
Original file line number Diff line number Diff line change
Expand Up @@ -105,13 +105,23 @@ private InputStream checkMimeType(final Attachment attachment,
return attachmentContent;
}
if (!detectedMimeType.equals(attachment.getMimeType())) {
logger.error(
"Attachment content upload rejected for attachment {} (\"{}\"): "
+ "stated mimeType \"{}\" differs from detected mimeType \"{}\"",
attachment.getUuid(), attachment.getFileName(), attachment.getMimeType(),
detectedMimeType);
throw new WebApplicationException("Attachment content does not match the MIME type",
Status.BAD_REQUEST);
if (getAllowedMimeTypes().contains(detectedMimeType)) {
logger.info(
"Attachment content upload for attachment {} (\"{}\"): "
+ "updated stated mimeType \"{}\" to detected mimeType \"{}\"",
attachment.getUuid(), attachment.getFileName(), attachment.getMimeType(),
detectedMimeType);
attachment.setMimeType(detectedMimeType);
dao.updateMimeType(attachment);
} else {
logger.error(
"Attachment content upload rejected for attachment {} (\"{}\"): "
+ "stated mimeType \"{}\" differs from detected mimeType \"{}\"",
attachment.getUuid(), attachment.getFileName(), attachment.getMimeType(),
detectedMimeType);
throw new WebApplicationException("Attachment content does not match the MIME type",
Status.BAD_REQUEST);
}
}
return tikaInputStream;
}
Expand Down

0 comments on commit d93c386

Please sign in to comment.