From eb7435f720448b288f3d50ad2f6a78da3e22e00a Mon Sep 17 00:00:00 2001
From: Craig Oates <craig@craigoates.net>
Date: Sat, 8 Oct 2022 20:49:39 +0100
Subject: [PATCH] add checks to make sure uploaded files are images in
 site-setting.

The conditions are added to the 'Site Logo' and 'Favicon'
sections/defroutes. The checks are to make sure a user doesn't try to set an MP4
file as the site's favicon or site's logo.
---
 src/web.lisp | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/web.lisp b/src/web.lisp
index 3d0b034..48afb82 100644
--- a/src/web.lisp
+++ b/src/web.lisp
@@ -335,6 +335,10 @@
 		(utils:set-alert "No file provided. Favicon not uploaded."
 				 "missing-data")
 		(redirect "/site-settings"))
+               ((not (str:contains?
+		      "image" (caddr favicon-file) :ignore-case t))
+                (utils:set-alert "Uploaded file is not an image." "invalid-data")
+                (redirect "/site-settings"))
 	       (t (storage:store-with-raw-path
 		   "static/images/favicon.png" favicon-file)
 		  (utils:set-alert "Favicon saved." "success")
@@ -385,6 +389,10 @@
 		(utils:set-alert "No file provided. Site logo not uploaded."
 				 "missing-data")
 		(redirect "/site-settings"))
+               ((not (str:contains?
+		      "image" (caddr site-logo) :ignore-case t))
+                (utils:set-alert "Uploaded file is not an image." "invalid-data")
+                (redirect "/site-settings"))
 	       (t (storage:store-with-raw-path
 		   "static/images/site-logo.png" site-logo)
 		  (utils:set-alert "Site logo saved." "success")
@@ -498,8 +506,9 @@
 	      (cond ((find t (mapcar
 			      #'utils:string-is-nil-or-empty?
 			      `(,new-password ,password-check)))
-		     (utils:set-alert "Missing new password data. Make sure both password boxes are filled out."
-				      "missing-data")
+		     (utils:set-alert
+                      "Missing new password data. Make sure both password boxes are filled out."
+		      "missing-data")
 		     (redirect "/user/edit"))
 		    ((not (string= new-password password-check))
 		     (utils:set-alert "Passwords don't match." "invalid-data")
@@ -595,11 +604,11 @@
 				      (user::username-of (auth:get-current-user)))
 				     (hermetic:logout
 				      ;; Successful log-out -- after account deleted
-				      ;; (session data cleared).
+				      ;; Session data cleared.
 				      (progn (auth:flash-gethash :id ningle:*session*)
 					     (redirect "/"))
 				      ;; Failed log-out -- after account deleted
-				      ;; (session data persits).
+				      ;; Session data persits.
 				      (progn (utils:set-alert
 					      "Unable to delete session data." "error")
 					     (redirect "/"))))))
@@ -893,7 +902,7 @@
 			  ;; is a hard-coded utility feature of the
 			  ;; website. The thumbnail is created so
 			  ;; large-scale images are not used at the
-			  ;; thumbnail, increasing download sizes.
+			  ;; thumbnail, decreasing download sizes.
 			  (when (str:contains? "image" (cadddr item) :ignore-case t)
 			    (utils:create-thumbnail
 			     "media" (utils:format-filename (caddr item)) nil)))