Add FileTypeWhiteList

README.md

@@ -30,7 +30,6 @@ Parameters:
 - `inner_html` [string] (optional): Raw HTML to use as inner HTML
 - `inner_field` [string] (optional): Identifier of the field to use to generate inner HTML
 
-
 Example:
 
 ```twig
@@ -40,7 +39,7 @@ Example:
             locationId: target_location_id,
             viewType: 'link',
             params: {
-                'inner_field': 'intro',
+                'inner_field': 'short_title',
             },
         }
     )) }}
@@ -54,6 +53,15 @@ Example:
 * `web_application`: a content type to upload static HTML
   - Install: `bin/console kaliop:migration:migrate --path vendor/adriendupuis/ezplatform-standard/MigrationVersions/web_application.yaml;`
 
+### `FileTypeWhiteList` Validator
+
+For field types using files (`ezbinaryfile`, `ezimage`, `ezmedia`), the `FileTypeWhiteList` can replace the `FileExtensionBlackList`.
+
+| FileExtensionBlackList                              | FileTypeWhiteList                                             |
+| --------------------------------------------------- | ------------------------------------------------------------- |
+| Use file extension and can be fooled.               | Use real file type whatever the extension is.                 |
+| Black list must be updated if a new danger appears. | White list must be updated if a new authorized usage appears. |
+
 TODO
 ----
 
@@ -63,3 +71,8 @@ TODO
   - support at least .html, .xhtml, .tar and .tgz
   - clean-up on DeleteVersionEvent and DeleteContentEvent
   - full and embed views
+  - Use abstraction to handle DFS
+- Continue FileTypeWhiteList
+  - Handle DFS
+  - Do not activate it by default?
+  - Validate default white list

src/bundle/FieldType/Validator/FileTypeWhiteList.php

@@ -0,0 +1,95 @@
+<?php
+
+namespace AdrienDupuis\EzPlatformStandardBundle\FieldType\Validator;
+
+use eZ\Publish\Core\FieldType;
+use eZ\Publish\Core\FieldType\ValidationError;
+use eZ\Publish\Core\MVC\ConfigResolverInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+class FileTypeWhiteList extends FieldType\Validator
+{
+    /** @var ConfigResolverInterface */
+    private $configResolver;
+
+    /** @var RequestStack */
+    private $requestStack;
+
+    /** @var \finfo */
+    private $mimeInfo;
+
+    protected $constraints = [
+        'fileTypeWhiteList' => [],
+    ];
+
+    protected $constraintsSchema = [
+        'fileTypeWhiteList' => [
+            'type' => 'array',
+            'default' => [],
+        ],
+    ];
+
+    public function __construct(ConfigResolverInterface $configResolver, RequestStack $requestStack)
+    {
+        $this->configResolver = $configResolver;
+        $this->requestStack = $requestStack;
+        $this->mimeInfo = new \finfo(FILEINFO_MIME);
+
+        $this->constraints['fileTypeWhiteList'] = $this->configResolver->getParameter(
+            'io.file_storage.file_type_whitelist'
+        );
+    }
+
+    public function validateConstraints($constraints)
+    {
+        return [];
+    }
+
+    public function validate(FieldType\Value $value): bool
+    {
+        $path = $this->getTmpFilePath($value);
+
+        if (is_file($path) && !is_dir($path)) {
+            $fileType = $this->getFileType($path);
+
+            if (in_array($fileType, $this->constraints['fileTypeWhiteList'])) {
+                return true;
+            }
+
+            $this->errors[] = new ValidationError(
+                'A valid file is required. Following file type is not on the whitelist: %fileType%',
+                null,
+                [
+                    '%fileType%' => $fileType,
+                ],
+                'fileTypeWhiteList'
+            );
+
+            return false;
+        }
+
+        $this->errors[] = new ValidationError(
+            'A valid file is required. File has been invalidated early in the process; Its size might exceed '.ini_get('upload_max_filesize'),
+            null,
+            [],
+            'fileTypeWhiteList'
+        );
+
+        return false;
+    }
+
+    public function getTmpFilePath(FieldType\Value $value): string
+    {
+        if (isset($value->inputUri)) {
+            return $value->inputUri;
+        }
+
+        //TODO: Use abstraction; Handle DFS
+        return "{$this->configResolver->getParameter('var_dir')}/{$this->configResolver->getParameter('storage_dir')}/original/{$value->id}";
+    }
+
+    public function getFileType(string $path)
+    {
+        return explode('; ', $this->mimeInfo->file($path))[0];
+    }
+}

src/bundle/Resources/config/services.yaml

@@ -6,3 +6,30 @@ services:
         calls:
             - [setContainer, ['@service_container']]
             #- [performAccessCheck, []]
+
+    ezpublish.fieldType.validator.black_list:
+        class: AdrienDupuis\EzPlatformStandardBundle\FieldType\Validator\FileTypeWhiteList
+        autowire: true
+        arguments:
+            - '@ezpublish.config.resolver'
+
+parameters:
+    ezsettings.default.io.file_storage.file_type_whitelist:
+        # Images
+        - image/gif
+        - image/png
+        - image/jpeg
+        # Medias
+        - audio/mpeg
+        - audio/ogg
+        # Documents
+        - text/plain
+        - application/pdf
+        - application/vnd.ms-powerpoint
+        - application/msword
+        - text/csv
+        - application/vnd.ms-excel
+        # Archives
+        - application/zip
+        - application/x-tar
+        - application/x-gzip