Harden upload accept

ragusa87 · Dec 4, 2024 · 90aa1a4 · 90aa1a4
1 parent 52a38e2
commit 90aa1a4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/src/Controller/BookController.php b/src/Controller/BookController.php
@@ -257,6 +257,9 @@ public function upload(Request $request, BookFileSystemManager $fileSystemManage
                 'label' => 'Book',
                 'required' => false,
                 'multiple' => true,
+                'attr' => [
+                    'accept' => '.epub,.pdf,.mobi,.cbr,.cbz',
+                ],
             ])
             ->add('submit', SubmitType::class, [
                 'label' => 'Upload',

diff --git a/src/Service/BookFileSystemManager.php b/src/Service/BookFileSystemManager.php
@@ -27,8 +27,8 @@ public function __construct(
         private readonly string $bookFolderNamingFormat,
         private readonly string $bookFileNamingFormat,
         private readonly SluggerInterface $slugger,
-        private readonly LoggerInterface $logger)
-    {
+        private readonly LoggerInterface $logger
+    ) {
         if ($this->bookFolderNamingFormat === '') {
             throw new \RuntimeException('Could not get filename format');
         }
@@ -797,6 +797,12 @@ public function uploadFilesToConsumeDirectory(array $files): void
     {
         $destination = $this->getBooksDirectory().'/consume';
         foreach ($files as $file) {
+            $originalName = $file->getClientOriginalName();
+            $explode = explode('.', $originalName);
+            $ext = end($explode);
+            if (!in_array("*.".$ext, self::ALLOWED_FILE_EXTENSIONS, true)) {
+                throw new \InvalidArgumentException('File type not allowed');
+            }
             $file->move($destination, $file->getClientOriginalName());
         }
     }

diff --git a/templates/components/UploadBookPicture.html.twig b/templates/components/UploadBookPicture.html.twig
@@ -2,7 +2,7 @@
     {% if isEditing and is_granted('EDIT', book) %}
         <div class="btn-group mt-2">
 
-            <input type="file" name="cover" class="form-control"/>
+            <input type="file" name="cover" accept="image/png, image/jpeg, image/webp" class="form-control"/>
             <button data-action="live#action" class="btn btn-sm btn-outline-primary" data-live-action-param="files|uploadFiles">
                 {{ 'upload'|trans }}
             </button>