From 76e4f83693a7055ef843f4674d2c10f5e45f105e Mon Sep 17 00:00:00 2001
From: vnugent <public@vaughnnugent.com>
Date: Sat, 14 Oct 2023 12:57:11 -0400
Subject: passthrough file extensions & package updates

---
 back-end/src/Endpoints/ContentEndpoint.cs | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'back-end/src/Endpoints')

diff --git a/back-end/src/Endpoints/ContentEndpoint.cs b/back-end/src/Endpoints/ContentEndpoint.cs
index e1e1344..d362eed 100644
--- a/back-end/src/Endpoints/ContentEndpoint.cs
+++ b/back-end/src/Endpoints/ContentEndpoint.cs
@@ -251,15 +251,22 @@ namespace Content.Publishing.Blog.Admin.Endpoints
                 return VfReturnType.VirtualSkip;
             }
 
+            //Get the first file
+            FileUpload file = entity.Files[0];
+
             //Check content length
-            if (webm.Assert(entity.Files[0].FileData.Length <= MaxContentLength, $"The content length is too long, max length is {MaxContentLength} bytes"))
+            if (webm.Assert(file.FileData.Length <= MaxContentLength, $"The content length is too long, max length is {MaxContentLength} bytes"))
             {
                 entity.CloseResponseJson(HttpStatusCode.BadRequest, webm);
                 return VfReturnType.VirtualSkip;
             }
 
-            //Get the first file
-            FileUpload file = entity.Files[0];
+            //the http layer should protect from this but just in case
+            if(webm.Assert(file.ContentType != ContentType.NonSupported, "The uploaded file is not a supported system content type"))
+            {
+                entity.CloseResponseJson(HttpStatusCode.BadRequest, webm);
+                return VfReturnType.VirtualSkip;
+            }
 
             //Get the channel
             IChannelContext? channel = await _blogContextManager.GetChannelAsync(channelId, entity.EventCancellation);
-- 
cgit