diff --git a/include/class.file.php b/include/class.file.php
index e8ea7db9a10b89cdee5f47f493009239fa3f95dd..a2a0e57cb1db28daaa2819f52c5b5de630e77b25 100644
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -247,8 +247,6 @@ class AttachmentFile extends VerySimpleModel {
$ttl = ($expires) ? $expires - Misc::gmtime() : false;
$this->makeCacheable($ttl);
$type = $this->getType() ?: 'application/octet-stream';
- if (isset($_REQUEST['overridetype']))
- $type = $_REQUEST['overridetype'];
Http::download($this->getName(), $type, null, 'inline');
header('Content-Length: '.$this->getSize());
$this->sendData(false);
diff --git a/include/class.forms.php b/include/class.forms.php
index 084ff7cd9c5c6e1432ece39484994f0517922885..e806d00b071d9f91a838fe2c4fa38281a47bfc00 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -2781,6 +2781,9 @@ class FileUploadField extends FormField {
$file = array_shift($files);
$file['name'] = urldecode($file['name']);
+ if (!$this->isValidFile($file))
+ Http::response(413, 'Invalid File');
+
if (!$bypass && !$this->isValidFileType($file['name'], $file['type']))
Http::response(415, 'File type is not allowed');
@@ -2807,6 +2810,9 @@ class FileUploadField extends FormField {
if (!$this->isValidFileType($file['name'], $file['type']))
throw new FileUploadError(__('File type is not allowed'));
+ if (!$this->isValidFile($file))
+ throw new FileUploadError(__('Invalid File'));
+
$config = $this->getConfiguration();
if ($file['size'] > $config['size'])
throw new FileUploadError(__('File size is too large'));
@@ -2842,6 +2848,18 @@ class FileUploadField extends FormField {
return $F;
}
+ function isValidFile($file) {
+
+ // Check invalid image hacks
+ if ($file['tmp_name']
+ && stripos($file['type'], 'image/') === 0
+ && function_exists('exif_imagetype')
+ && !exif_imagetype($file['tmp_name']))
+ return false;
+
+ return true;
+ }
+
function isValidFileType($name, $type=false) {
$config = $this->getConfiguration();