search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
39.89k stars 10.27k forks source link

MIME type set by client ignored #32754

Open paulchen opened 1 month ago

paulchen commented 1 month ago

Description:

When using the rooms.upload endpoint, the MIME type sent along is ignored. Instead, the server will guess the MIME type based on the filename.

Steps to reproduce:

  1. Obtain the rid for a channel and the authToken and the userId for a logged-in user.
  2. Download this file and rename it to pinksquare (without the .png extension): https://github.com/RocketChat/Rocket.Chat/assets/404840/08a10e00-a0ff-4204-a8e2-9b8c75ae615d
  3. Run this cURL snippet (with <host>, <rid>, <userId>, <authToken> replaced by the actual values):
curl --request POST \
  --url https://<host>/api/v1/rooms.upload/<rid> \
  --header 'accept: application/json' \
  --header 'content-type: multipart/form-data' \
  --header 'x-user-id: <userId>' \
  --header 'x-auth-token: <authToken>' \
  -F "file=@pinksquare;type=image/png"

Expected behavior:

The file is stored with the MIME type image/png.

Actual behavior:

The file is stored with the MIME type application/octet-stream and therefore not treated as an image.

JSON response by the endpoint:

{
    "message": {
        "_id": "<id>",
        "rid": "<rid>",
        "ts": "2024-07-10T15:39:40.394Z",
        "msg": "",
        "file": {
            "_id": "668eab3cc93d62f6f83b7662",
            "name": "pinksquare",
            "type": "application/octet-stream",
            "size": 519,
            "format": ""
        },
        "files": [
            {
                "_id": "668eab3cc93d62f6f83b7662",
                "name": "pinksquare",
                "type": "application/octet-stream",
                "size": 519,
                "format": ""
            }
        ],
        "attachments": [
            {
                "ts": "1970-01-01T00:00:00.000Z",
                "title": "pinksquare",
                "title_link": "/file-upload/668eab3cc93d62f6f83b7662/pinksquare",
                "title_link_download": true,
                "type": "file",
                "format": "file",
                "size": 519
            }
        ],
        "u": {
            "_id": "<id>",
            "username": "<username>",
            "name": "<name>"
        },
        "_updatedAt": "2024-07-10T15:39:40.450Z",
        "urls": []
    },
    "success": true
}

Server Setup Information:

Client Setup Information

Any client that wants the MIME type to be stored on the server.

Additional context

This problem was introduced by #32471. At apps/meteor/app/api/server/lib/getUploadFormData.ts:86, the MIME sent by the client is discarded.

When using the filename pinksquare.png, the MIME type is determined correctly based on the extension .png:

curl --request POST \
  --url https://<host>/api/v1/rooms.upload/<rid> \
  --header 'accept: application/json' \
  --header 'content-type: multipart/form-data' \
  --header 'x-user-id: <userId>' \
  --header 'x-auth-token: <authToken>' \
  -F "file=@pinksquare.png;type=image/png"
{
    "message": {
        "_id": "<id>",
        "rid": "<rid>",
        "ts": "2024-07-10T15:40:34.266Z",
        "msg": "",
        "file": {
            "_id": "668eab71c93d62f6f83b7663",
            "name": "pinksquare.png",
            "type": "image/png",
            "size": 519,
            "format": "png"
        },
        "files": [
            {
                "_id": "668eab71c93d62f6f83b7663",
                "name": "pinksquare.png",
                "type": "image/png",
                "size": 519,
                "format": "png"
            }
        ],
        "attachments": [
            {
                "ts": "1970-01-01T00:00:00.000Z",
                "title": "pinksquare.png",
                "title_link": "/file-upload/668eab71c93d62f6f83b7663/pinksquare.png",
                "title_link_download": true,
                "image_dimensions": {
                    "width": 1,
                    "height": 1
                },
                "image_preview": "/9j/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAAgACADASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAAAAX/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFQEBAQAAAAAAAAAAAAAAAAAAAAf/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCAAsC9AAAAAAP/2Q==",
                "image_url": "/file-upload/668eab71c93d62f6f83b7663/pinksquare.png",
                "image_type": "image/png",
                "image_size": 519,
                "type": "file"
            }
        ],
        "u": {
            "_id": "<id>",
            "username": "<username>",
            "name": "<name>"
        },
        "_updatedAt": "2024-07-10T15:40:34.661Z",
        "urls": []
    },
    "success": true
}
reetp commented 1 month ago

Thanks for the report.

I'll ask someone to take a look.