Merge pull request #1074 from vector-im/bwindels/expose-create-blob-method-without-filter

expose method on BlobHandle to create a handle without mimetype filtering
This commit is contained in:
Bruno Windels 2023-04-07 09:54:10 +02:00 committed by GitHub
commit a87edcf99e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 12 deletions

View File

@ -300,7 +300,8 @@ export class Platform {
const file = input.files[0]; const file = input.files[0];
this._container.removeChild(input); this._container.removeChild(input);
if (file) { if (file) {
resolve({name: file.name, blob: BlobHandle.fromBlob(file)}); // ok to not filter mimetypes as these are local files
resolve({name: file.name, blob: BlobHandle.fromBlobUnsafe(file)});
} else { } else {
resolve(); resolve();
} }

View File

@ -76,7 +76,7 @@ const DEFAULT_MIMETYPE = 'application/octet-stream';
export class BlobHandle { export class BlobHandle {
/** /**
* @internal * @internal
* Don't use the constructor directly, instead use fromBuffer, fromBlob or fromBufferUnsafe * Don't use the constructor directly, instead use fromBuffer or fromBlobUnsafe
* */ * */
constructor(blob, buffer = null) { constructor(blob, buffer = null) {
this._blob = blob; this._blob = blob;
@ -84,13 +84,6 @@ export class BlobHandle {
this._url = null; this._url = null;
} }
/** Does not filter out mimetypes that could execute embedded javascript.
* It's up to the callee of this method to ensure that the blob won't be
* rendered by the browser in a way that could allow cross-signing scripting. */
static fromBufferUnsafe(buffer, mimetype) {
return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer);
}
static fromBuffer(buffer, mimetype) { static fromBuffer(buffer, mimetype) {
mimetype = mimetype ? mimetype.split(";")[0].trim() : ''; mimetype = mimetype ? mimetype.split(";")[0].trim() : '';
if (!ALLOWED_BLOB_MIMETYPES[mimetype]) { if (!ALLOWED_BLOB_MIMETYPES[mimetype]) {
@ -99,8 +92,10 @@ export class BlobHandle {
return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer); return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer);
} }
static fromBlob(blob) { /** Does not filter out mimetypes that could execute embedded javascript.
// ok to not filter mimetypes as these are local files * It's up to the callee of this method to ensure that the blob won't be
* rendered by the browser in a way that could allow cross-signing scripting. */
static fromBlobUnsafe(blob) {
return new BlobHandle(blob); return new BlobHandle(blob);
} }

View File

@ -64,7 +64,8 @@ export class ImageHandle {
} else { } else {
throw new Error("canvas can't be turned into blob"); throw new Error("canvas can't be turned into blob");
} }
const blob = BlobHandle.fromBlob(nativeBlob); // unsafe is ok because it's a jpeg or png image
const blob = BlobHandle.fromBlobUnsafe(nativeBlob);
return new ImageHandle(blob, scaledWidth, scaledHeight, null); return new ImageHandle(blob, scaledWidth, scaledHeight, null);
} }