From 2441d5f55674fa5e651059c64b9567fe5d0dbaec Mon Sep 17 00:00:00 2001
From: Varun Patil <varunpatil@ucla.edu>
Date: Fri, 17 Mar 2023 00:12:06 -0700
Subject: [PATCH] edit-meta: forbid some types e.g. mts

Signed-off-by: Varun Patil <varunpatil@ucla.edu>
---
 lib/Command/MigrateGoogleTakeout.php | 3 +--
 lib/Controller/ImageController.php   | 8 ++++++++
 lib/Exif.php                         | 9 +++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/lib/Command/MigrateGoogleTakeout.php b/lib/Command/MigrateGoogleTakeout.php
index 81de970c..500c26b7 100644
--- a/lib/Command/MigrateGoogleTakeout.php
+++ b/lib/Command/MigrateGoogleTakeout.php
@@ -23,7 +23,6 @@ declare(strict_types=1);
 
 namespace OCA\Memories\Command;
 
-use OCA\Memories\AppInfo\Application;
 use OCA\Memories\Db\TimelineWrite;
 use OCA\Memories\Exif;
 use OCP\Files\File;
@@ -88,7 +87,7 @@ class MigrateGoogleTakeout extends Command
     {
         $this->output = $output;
         $this->input = $input;
-        $this->mimeTypes = array_merge(Application::IMAGE_MIMES, Application::VIDEO_MIMES);
+        $this->mimeTypes = Exif::allowedEditMimetypes();
 
         // Provide ample warnings
         if ($input->isInteractive()) {
diff --git a/lib/Controller/ImageController.php b/lib/Controller/ImageController.php
index ea39e8ae..ea34b616 100644
--- a/lib/Controller/ImageController.php
+++ b/lib/Controller/ImageController.php
@@ -242,6 +242,14 @@ class ImageController extends ApiBase
             return new JSONResponse(['message' => 'Cannot change encrypted file'], Http::STATUS_PRECONDITION_FAILED);
         }
 
+        // Check if allowed to edit file
+        $mime = $file->getMimeType();
+        if (!\in_array($mime, Exif::allowedEditMimetypes(), true)) {
+            $name = $file->getName();
+
+            return new JSONResponse(['message' => "Cannot edit file {$name} (blacklisted type {$mime})"], Http::STATUS_PRECONDITION_FAILED);
+        }
+
         // Get original file from body
         $path = $file->getStorage()->getLocalFile($file->getInternalPath());
 
diff --git a/lib/Exif.php b/lib/Exif.php
index cff0533d..d1581450 100644
--- a/lib/Exif.php
+++ b/lib/Exif.php
@@ -10,6 +10,7 @@ use OCP\IConfig;
 
 class Exif
 {
+    private const FORBIDDEN_EDIT_MIMES = ['image/bmp', 'image/x-dcraw', 'video/MP2T'];
     private const EXIFTOOL_VER = '12.50';
     private const EXIFTOOL_TIMEOUT = 30000;
     private const EXIFTOOL_ARGS = ['-api', 'QuickTimeUTC=1', '-n', '-U', '-json', '--b'];
@@ -244,6 +245,14 @@ class Exif
         return [$width, $height];
     }
 
+    /**
+     * Get the list of MIME Types that are allowed to be edited.
+     */
+    public static function allowedEditMimetypes(): array
+    {
+        return array_diff(array_merge(Application::IMAGE_MIMES, Application::VIDEO_MIMES), self::FORBIDDEN_EDIT_MIMES);
+    }
+
     /**
      * Set exif data using raw json.
      *