Merge branch 'develop' into pizzax-indexeddb

author: tamaina <tamaina@hotmail.co.jp> 2022-01-02 21:56:34 +0900
committer: tamaina <tamaina@hotmail.co.jp> 2022-01-02 21:56:34 +0900
commit: 8804f896b06a1ab3c2bfbb79d0e286b59d72aea2 (patch)
tree: e08521bf8f4e40745d84e7e4955cb6e58c373556 /packages/backend/src/server/proxy
parent: modify comment (diff)
parent: update deps (diff)
download: misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.gz
misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.bz2
misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/packages/backend/src/server/proxy/proxy-media.ts b/packages/backend/src/server/proxy/proxy-media.ts
index 9e13c0877f..aba08bb805 100644
--- a/packages/backend/src/server/proxy/proxy-media.ts
+++ b/packages/backend/src/server/proxy/proxy-media.ts
@@ -6,6 +6,7 @@ import { createTemp } from '@/misc/create-temp';
 import { downloadUrl } from '@/misc/download-url';
 import { detectType } from '@/misc/get-file-info';
 import { StatusError } from '@/misc/fetch';
+import { FILE_TYPE_BROWSERSAFE } from '@/const';
 
 export async function proxyMedia(ctx: Koa.Context) {
 	const url = 'url' in ctx.query ? ctx.query.url : 'https://' + ctx.params.url;
@@ -19,6 +20,7 @@ export async function proxyMedia(ctx: Koa.Context) {
 		const { mime, ext } = await detectType(path);
 
 		if (!mime.startsWith('image/')) throw 403;
+		if (!FILE_TYPE_BROWSERSAFE.includes(mime)) throw 403;
 
 		let image: IImage;
author	tamaina <tamaina@hotmail.co.jp>	2022-01-02 21:56:34 +0900
committer	tamaina <tamaina@hotmail.co.jp>	2022-01-02 21:56:34 +0900
commit	8804f896b06a1ab3c2bfbb79d0e286b59d72aea2 (patch)
tree	e08521bf8f4e40745d84e7e4955cb6e58c373556 /packages/backend/src/server/proxy
parent	modify comment (diff)
parent	update deps (diff)
download	misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.gz misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.bz2 misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.zip