From 9a0e703964ca3aa30e0e3fb6674d13a531c88cb0 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Fri, 14 Jun 2019 16:57:55 -0400
Subject: [PATCH] (dev/core#1044) Extension/MIME matching should be case
 insensitive

Overview
--------

For CIVI-SA-2019-15, the delivery of file attachments was tightened to
ensure that the file-extension and mime-type were in agreement.  However,
the check yields a false-negative in the common case where the filename has
been capitalized.  It should treat `foo.jpg`, `foo.JPG`, and `FOO.JPG` as
equally valid.

Before
------

* When viewing a contact profile image ending with `.JPG`, there is an error
  message, `Supplied mime-type does not match file extension`.

After
-----

* When viewing a contact profile image ending with `.JPG`, the image is
  delivered.

Comments
--------

See also:

* https://civicrm.org/advisory/civi-sa-2019-15-xss-via-forged-mime-type
* https://lab.civicrm.org/dev/core/issues/1044
---
 CRM/Core/Page/File.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CRM/Core/Page/File.php b/CRM/Core/Page/File.php
index c1f6cd10bf..8c35a9fc07 100644
--- a/CRM/Core/Page/File.php
+++ b/CRM/Core/Page/File.php
@@ -80,7 +80,7 @@ class CRM_Core_Page_File extends CRM_Core_Page {
       }
       $extension = CRM_Utils_File::getExtensionFromPath($path);
       $candidateExtensions = CRM_Utils_File::getAcceptableExtensionsForMimeType($passedInMimeType);
-      if (!in_array($extension, $candidateExtensions)) {
+      if (!in_array(strtolower($extension), array_map('strtolower', $candidateExtensions))) {
         throw new CRM_Core_Exception("Supplied mime-type does not match file extension");
       }
       // Now that we have validated mime-type supplied as much as possible lets now set the MimeType variable/
-- 
2.25.1