ba558c0c24
Else malicious emoji packs or our EmojiStealer MRF can put payloads into the same domain as the instance itself. Sanitising the content type should prevent proper clients from acting on any potential payload. Note, this does not affect the default emoji shipped with Akkoma as they are handled by another plug. However, those are fully trusted and thus not in needed of sanitisation.
14 lines
487 B
Elixir
14 lines
487 B
Elixir
# Akkoma: Magically expressive social media
|
|
# Copyright © 2024 Akkoma Authors <https://akkoma.dev>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.Web.Plugs.Utils do
|
|
@moduledoc """
|
|
Some helper functions shared across several plugs
|
|
"""
|
|
|
|
def get_safe_mime_type(%{allowed_mime_types: allowed_mime_types} = _opts, mime) do
|
|
[maintype | _] = String.split(mime, "/", parts: 2)
|
|
if maintype in allowed_mime_types, do: mime, else: "application/octet-stream"
|
|
end
|
|
end
|