fix(media): use csp instead of modifying content-type

2024-06-03 21:35:20 +01:00 · 2024-06-03 21:35:20 +01:00 · 1dbb3433e0
commit 1dbb3433e0
parent 7b19618136
2 changed files with 24 additions and 24 deletions
--- a/src/api/client_server/media.rs
+++ b/src/api/client_server/media.rs
@ -22,14 +22,6 @@ pub async fn get_media_config_route(
    })
 }

-fn sanitize_content_type(content_type: String) -> String {
-    if content_type == "image/jpeg" || content_type == "image/png" {
-        content_type
-    } else {
-        "application/octet-stream".to_owned()
-    }
-}
-
 /// # `POST /_matrix/media/r0/upload`
 ///
 /// Permanently save media in the server.
@ -108,13 +100,13 @@ pub async fn get_content_route(

    if let Some(FileMeta {
        content_disposition,
+        content_type,
        file,
-        ..
    }) = services().media.get(mxc.clone()).await?
    {
        Ok(get_content::v3::Response {
            file,
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type,
            content_disposition,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -124,7 +116,7 @@ pub async fn get_content_route(

        Ok(get_content::v3::Response {
            content_disposition: remote_content_response.content_disposition,
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type: remote_content_response.content_type,
            file: remote_content_response.file,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -143,10 +135,13 @@ pub async fn get_content_as_filename_route(
 ) -> Result<get_content_as_filename::v3::Response> {
    let mxc = format!("mxc://{}/{}", body.server_name, body.media_id);

-    if let Some(FileMeta { file, .. }) = services().media.get(mxc.clone()).await? {
+    if let Some(FileMeta {
+        file, content_type, ..
+    }) = services().media.get(mxc.clone()).await?
+    {
        Ok(get_content_as_filename::v3::Response {
            file,
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type,
            content_disposition: Some(format!("inline; filename={}", body.filename)),
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -156,7 +151,7 @@ pub async fn get_content_as_filename_route(

        Ok(get_content_as_filename::v3::Response {
            content_disposition: Some(format!("inline: filename={}", body.filename)),
-            content_type: Some("application/octet-stream".to_owned()),
+            content_type: remote_content_response.content_type,
            file: remote_content_response.file,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
@ -192,11 +187,11 @@ pub async fn get_content_thumbnail_route(
    {
        Ok(get_content_thumbnail::v3::Response {
            file,
-            content_type: content_type.map(sanitize_content_type),
+            content_type,
            cross_origin_resource_policy: Some("cross-origin".to_owned()),
        })
    } else if &*body.server_name != services().globals.server_name() && body.allow_remote {
-        let mut get_thumbnail_response = services()
+        let get_thumbnail_response = services()
            .sending
            .send_federation_request(
                &body.server_name,
@ -225,10 +220,6 @@ pub async fn get_content_thumbnail_route(
            )
            .await?;

-        get_thumbnail_response.content_type = get_thumbnail_response
-            .content_type
-            .map(sanitize_content_type);
-
        Ok(get_thumbnail_response)
    } else {
        Err(Error::BadRequest(ErrorKind::NotFound, "Media not found."))