Allow mime types to match based off of class

The old behavior prevented simple file types like `text/plain` from being uploaded since browsers upload them with the charset as well (e.g. `text/plain charset=utf-8`) without specifying all possible charsets. Additionally, this allows for blanket includes like `text/*` or `image/*` by class type.
2020-02-14 18:08:05 -06:00 · 2020-02-14 18:08:05 -06:00 · 3b9396c178
commit 3b9396c178
parent a97fe76950
1 changed files with 6 additions and 2 deletions
--- a/modules/upload/filetype.go
+++ b/modules/upload/filetype.go
@ -34,9 +34,13 @@ func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
 	for _, t := range allowedTypes {
 		t := strings.Trim(t, " ")

-		if t == "*/*" || t == fileType ||
+		if t == fileType ||
+			// Allow wildcard */* to match all mime types
+			t == "*/*" ||
 			// Allow directives after type, like 'text/plain; charset=utf-8'
-			strings.HasPrefix(fileType, t+";") {
+			strings.HasPrefix(fileType, t+";") ||
+			// Allow a class whitelist, like 'image/*'
+			(strings.HasSuffix(t, "/*") && strings.HasPrefix(fileType, strings.TrimRight(t, "*"))) {
 			return nil
 		}
 	}