Fix mime type file extension checks #40

dremin · 2023-05-17T19:49:38Z

Presently, the attachment's mime-type is converted to a file extension, which is then compared to the list of allowed extensions. However, for files such as mp3 which have a mime type "audio/mpeg", there are multiple allowed file extensions for that mime type, so the mime-to-extension conversion results in an extension that is not allowed ("mpga"), preventing the file from being accessed, even though the file extension is mp3.

This fixes that problem by getting the full list of extensions for a mime type, rather than simply the default extension, and then checking if an extension from that list is in the allowed extensions.

Contributing to Twilio

All third-party contributors acknowledge that any contributions they provide will be made under the same open-source license that the open-source project is provided under.

I acknowledge that all my contributions will be made under the project's license.

aruldd-twilio · 2023-07-03T17:33:53Z

Hello, this fix also allows extensions which are not explicitly declared in the config. We would need to update the documentation surrounding this as well if we were to allow this.

dremin · 2023-07-03T18:41:06Z

Hello, this fix also allows extensions which are not explicitly declared in the config. We would need to update the documentation surrounding this as well if we were to allow this.

@aruldd-twilio I wonder if allow-listing extensions is the right approach, given that the extension and mime type intend to communicate the same information. Maybe we should switch to allow-listing mime types rather than extensions?