From fdb04a36554a4df05ab66f0ef7ca9ef9fa095b9a Mon Sep 17 00:00:00 2001
From: Philip Molares
Date: Sun, 28 Mar 2021 22:26:36 +0200
Subject: Dependency: Add is-svg

This is used to check if .svg files really are svg.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 package.json |  1 +
 yarn.lock    | 16 ++++++++--------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/package.json b/package.json
index 9a138cf8..b93d76cf 100644
--- a/package.json
+++ b/package.json
@@ -55,6 +55,7 @@
     "i18n": "^0.13.0",
     "imgur": "git+https://github.com/hackmdio/node-imgur.git",
     "ionicons": "^2.0.1",
+    "is-svg": "^4.3.1",
     "jquery": "^3.5.1",
     "jquery-mousewheel": "^3.1.13",
     "jquery-ui": "^1.12.1",
diff --git a/yarn.lock b/yarn.lock
index 31228551..b9921d03 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -448,7 +448,6 @@
 
 "Idle.Js@git+https://github.com/shawnmclean/Idle.js":
   version "0.0.1"
-  uid db9beb3483a460ad638ec947867720f0ed066a62
   resolved "git+https://github.com/shawnmclean/Idle.js#db9beb3483a460ad638ec947867720f0ed066a62"
 
 JSV@^4.0.x:
@@ -2193,7 +2192,6 @@ code-point-at@^1.0.0:
 
 "codemirror@git+https://github.com/hedgedoc/CodeMirror.git":
   version "5.58.2"
-  uid f780b569b3717cdff4c8507538cc63101bfa02e1
   resolved "git+https://github.com/hedgedoc/CodeMirror.git#f780b569b3717cdff4c8507538cc63101bfa02e1"
 
 collection-visit@^1.0.0:
@@ -3225,7 +3223,6 @@ detect-libc@^1.0.2:
 
 "diff-match-patch@git+https://github.com/hackmdio/diff-match-patch.git":
   version "1.1.1"
-  uid c2f8fb9d69aa9490b764850aa86ba442c93ccf78
   resolved "git+https://github.com/hackmdio/diff-match-patch.git#c2f8fb9d69aa9490b764850aa86ba442c93ccf78"
 
 diff@5.0.0:
@@ -4019,7 +4016,7 @@ fast-safe-stringify@^2.0.4:
   resolved "https://registry.yarnpkg.com/fast-safe-stringify/-/fast-safe-stringify-2.0.7.tgz#124aa885899261f68aedb42a7c080de9da608743"
   integrity sha512-Utm6CdzT+6xsDk2m8S6uL8VHxNwI6Jub+e9NYTcAms28T84pTa25GJQV9j0CY0N1rM8hK4x6grpF2BQf+2qwVA==
 
-fast-xml-parser@^3.17.5:
+fast-xml-parser@^3.17.5, fast-xml-parser@^3.19.0:
   version "3.19.0"
   resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-3.19.0.tgz#cb637ec3f3999f51406dd8ff0e6fc4d83e520d01"
   integrity sha512-4pXwmBplsCPv8FOY1WRakF970TjNGnGnfbOnLqjlYvMiF1SR3yOHyxMR/YCXpPTOspNF5gwudqktIP4VsWkvBg==
@@ -4930,7 +4927,6 @@ image-size@~0.5.0:
 
 "imgur@git+https://github.com/hackmdio/node-imgur.git":
   version "0.5.0"
-  uid de0a7a1f1eb2cb6628385fedb990ad396a190573
   resolved "git+https://github.com/hackmdio/node-imgur.git#de0a7a1f1eb2cb6628385fedb990ad396a190573"
   dependencies:
     commander "^2.13.0"
@@ -5406,6 +5402,13 @@ is-svg@^3.0.0:
   dependencies:
     html-comment-regex "^1.1.0"
 
+is-svg@^4.3.1:
+  version "4.3.1"
+  resolved "https://registry.yarnpkg.com/is-svg/-/is-svg-4.3.1.tgz#8c63ec8c67c8c7f0a8de0a71c8c7d58eccf4406b"
+  integrity sha512-h2CGs+yPUyvkgTJQS9cJzo9lYK06WgRiXUqBBHtglSzVKAuH4/oWsqk7LGfbSa1hGk9QcZ0SyQtVggvBA8LZXA==
+  dependencies:
+    fast-xml-parser "^3.19.0"
+
 is-symbol@^1.0.2, is-symbol@^1.0.3:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/is-symbol/-/is-symbol-1.0.3.tgz#38e1014b9e6329be0de9d24a414fd7441ec61937"
@@ -5533,7 +5536,6 @@ js-cookie@^2.1.3:
 
 "js-sequence-diagrams@git+https://github.com/hedgedoc/js-sequence-diagrams.git":
   version "2.0.1"
-  uid bda0e49b6c2754f3c7158b1dfb9ccf26efc24b39
   resolved "git+https://github.com/hedgedoc/js-sequence-diagrams.git#bda0e49b6c2754f3c7158b1dfb9ccf26efc24b39"
   dependencies:
     lodash "4.17.x"
@@ -6097,7 +6099,6 @@ lutim@^1.0.2:
 
 "lz-string@git+https://github.com/hackmdio/lz-string.git":
   version "1.4.4"
-  uid efd1f64676264d6d8871b01f4f375fc6ef4f9022
   resolved "git+https://github.com/hackmdio/lz-string.git#efd1f64676264d6d8871b01f4f375fc6ef4f9022"
 
 make-dir@^1.0.0:
@@ -6411,7 +6412,6 @@ messageformat@^2.3.0:
 
 "meta-marked@git+https://github.com/hedgedoc/meta-marked":
   version "0.4.5"
-  uid "4fb5cb5a204969cc91e66eee92c0211188e69a2b"
   resolved "git+https://github.com/hedgedoc/meta-marked#4fb5cb5a204969cc91e66eee92c0211188e69a2b"
   dependencies:
     js-yaml "~3.14.0"
-- 
cgit v1.2.3


From be3eee16034299150a897c30ae23df4af4e9d624 Mon Sep 17 00:00:00 2001
From: Philip Molares
Date: Sun, 28 Mar 2021 22:28:35 +0200
Subject: Config: Remove image/jpg

This was done because both .jpg and .jpeg get the mime type 'image/jpeg' by FileType

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 lib/config/index.js | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/config/index.js b/lib/config/index.js
index 17c13f5f..48e61b6c 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -179,7 +179,6 @@ switch (config.imageUploadType) {
     config.allowedUploadMimeTypes = [
       'image/jpeg',
       'image/png',
-      'image/jpg',
       'image/gif'
     ]
     break
@@ -187,7 +186,6 @@ switch (config.imageUploadType) {
     config.allowedUploadMimeTypes = [
       'image/jpeg',
       'image/png',
-      'image/jpg',
       'image/gif',
       'image/svg+xml'
     ]
-- 
cgit v1.2.3


From 5dbe99b4c7b8e136ebc6f05b6b618f044bfd4358 Mon Sep 17 00:00:00 2001
From: Philip Molares
Date: Sun, 28 Mar 2021 22:37:01 +0200
Subject: ImageUpload: Fix errors with .jpeg and .svg

This checks all files that claim to be an svg (by their extension) that they really are and defines the typeFromMagic accordingly
Files that got identified as jpg, but have the extension .jpeg get their extension fixed.
The files extensions will work in all cases now.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 lib/web/imageRouter/index.js | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index 0a72c65c..ee123867 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -7,6 +7,7 @@ const FileType = require('file-type')
 const fs = require('fs')
 const os = require('os')
 const rimraf = require('rimraf')
+const isSvg = require('is-svg')
 
 const config = require('../../config')
 const logger = require('../../logger')
@@ -15,12 +16,26 @@ const errors = require('../../errors')
 const imageRouter = (module.exports = Router())
 
 async function checkUploadType (filePath) {
-  const typeFromMagic = await FileType.fromFile(filePath)
+  const extension = path.extname(filePath).toLowerCase()
+  let typeFromMagic = await FileType.fromFile(filePath)
+  if (extension === '.svg' && (typeFromMagic === undefined || typeFromMagic.mime === 'application/xml')) {
+    const fileContent = fs.readFileSync(filePath)
+    if (isSvg(fileContent)) {
+      typeFromMagic = {
+        ext: 'svg',
+        mime: 'image/svg+xml'
+      }
+    }
+  }
   if (typeFromMagic === undefined) {
     logger.error('Image upload error: Could not determine MIME-type')
     return false
   }
-  if (path.extname(filePath) !== '.' + typeFromMagic.ext) {
+  // .jpeg, .jfif, .jpe files are identified by FileType to have the extension jpg
+  if (['.jpeg', '.jfif', '.jpe'].includes(extension) && typeFromMagic.ext === 'jpg') {
+    typeFromMagic.ext = extension.substr(1)
+  }
+  if (extension !== '.' + typeFromMagic.ext) {
     logger.error(
       'Image upload error: Provided file extension does not match MIME-type'
     )
-- 
cgit v1.2.3