From 75dc346f0fbe81c843ab0aadbfc697ded33c14bd Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 27 Mar 2022 08:27:24 +0200
Subject: [PATCH] be more specific on the base type match and less specific on
 the subtype, in order to fail-safe (avoid being tricked into not sanitizing -
 the mime type is a user provided input)

---
 js/privatebin.js  | 8 ++++----
 tpl/bootstrap.php | 2 +-
 tpl/page.php      | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index a1308620..5f61de13 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -2843,7 +2843,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             // prevents executing embedded scripts when CSP is not set and user
             // right-clicks/long-taps and opens the SVG in a new tab - prevented
             // in the preview by use of an img tag, which disables scripts, too
-            if (mimeType.match(/image\/svg/i)) {
+            if (mimeType.match(/^image\/.*svg/i)) {
                 const sanitizedData = DOMPurify.sanitize(
                     decodedData,
                     purifySvgConfig
@@ -3072,13 +3072,13 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         me.handleBlobAttachmentPreview = function ($targetElement, blobUrl, mimeType) {
             if (blobUrl) {
                 attachmentHasPreview = true;
-                if (mimeType.match(/image\//i)) {
+                if (mimeType.match(/^image\//i)) {
                     $targetElement.html(
                         $(document.createElement('img'))
                             .attr('src', blobUrl)
                             .attr('class', 'img-thumbnail')
                     );
-                } else if (mimeType.match(/video\//i)) {
+                } else if (mimeType.match(/^video\//i)) {
                     $targetElement.html(
                         $(document.createElement('video'))
                             .attr('controls', 'true')
@@ -3089,7 +3089,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                             .attr('type', mimeType)
                             .attr('src', blobUrl))
                     );
-                } else if (mimeType.match(/audio\//i)) {
+                } else if (mimeType.match(/^audio\//i)) {
                     $targetElement.html(
                         $(document.createElement('audio'))
                             .attr('controls', 'true')
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 7fe82e04..e044bbb4 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -73,7 +73,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xdu6IjnYpAF3x74lr5/SLuZSPoWD2Imc/GBZvsIhiUSRltwR734fEMRBrGUEdAzZpAdeIt3sOOZqwPAdYpM31Q==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xwttv41FsiFPAKh5r/rq3FGUpcnOaV/Flzg91OIpUz60t1gjE3JRke3YwcHGUm3FrQWahba5/RAqVLYkUvtpFg==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />
diff --git a/tpl/page.php b/tpl/page.php
index 5823f71b..20792551 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -51,7 +51,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xdu6IjnYpAF3x74lr5/SLuZSPoWD2Imc/GBZvsIhiUSRltwR734fEMRBrGUEdAzZpAdeIt3sOOZqwPAdYpM31Q==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-xwttv41FsiFPAKh5r/rq3FGUpcnOaV/Flzg91OIpUz60t1gjE3JRke3YwcHGUm3FrQWahba5/RAqVLYkUvtpFg==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />