From 3af2670bd5b4963eff24f053c3a4e89e3f6a021a Mon Sep 17 00:00:00 2001
From: Martin Brennan <mjrbrennan@gmail.com>
Date: Fri, 21 Feb 2020 13:08:02 +1000
Subject: [PATCH] FIX: Consider webp a supported image format for upload
 (#9015)

* Also fixes an issue where if webp was a downloaded hotlinked
  image and then secure + sent in an email, it was not being
  redacted because webp was not a supported media format in
  FileHelper
* Webp originally removed as an image format in
  https://github.com/discourse/discourse/pull/6377
  and there was a spec to make sure a .bin webp
  file did not get renamed from its type to webp.

  However we want to support webp images now to make
  sure they are properly redacted if secure media is
  on, so change the example in the spec to use tiff,
  another banned format, instead
---
 .../javascripts/discourse/lib/uploads.js.es6     |   2 +-
 lib/file_helper.rb                               |   2 +-
 spec/fixtures/images/tiff_as.bin                 | Bin 0 -> 7910 bytes
 spec/lib/upload_creator_spec.rb                  |   8 ++++----
 test/javascripts/lib/uploads-test.js.es6         |   2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)
 create mode 100644 spec/fixtures/images/tiff_as.bin

diff --git a/app/assets/javascripts/discourse/lib/uploads.js.es6 b/app/assets/javascripts/discourse/lib/uploads.js.es6
index 0f12b3aa49..37ded98e4f 100644
--- a/app/assets/javascripts/discourse/lib/uploads.js.es6
+++ b/app/assets/javascripts/discourse/lib/uploads.js.es6
@@ -194,7 +194,7 @@ export function authorizesOneOrMoreImageExtensions(staff) {
 }
 
 export function isImage(path) {
-  return /\.(png|jpe?g|gif|svg|ico)$/i.test(path);
+  return /\.(png|webp|jpe?g|gif|svg|ico)$/i.test(path);
 }
 
 export function isVideo(path) {
diff --git a/lib/file_helper.rb b/lib/file_helper.rb
index c2fb8f6693..cbf11eebbe 100644
--- a/lib/file_helper.rb
+++ b/lib/file_helper.rb
@@ -133,7 +133,7 @@ class FileHelper
   end
 
   def self.supported_images
-    @@supported_images ||= Set.new %w{jpg jpeg png gif svg ico}
+    @@supported_images ||= Set.new %w{jpg jpeg png gif svg ico webp}
   end
 
   def self.supported_audio
diff --git a/spec/fixtures/images/tiff_as.bin b/spec/fixtures/images/tiff_as.bin
new file mode 100644
index 0000000000000000000000000000000000000000..dec1b3cfaa7b9f61ed9375ee6455d2346182e1c6
GIT binary patch
literal 7910
zcmeHsXH-*LxAqR969~P9Ce<S#MWpxMTSD)>cLfy?5EVgs2LVw+kpqH&)PVGkfFeae
zP!I)y(0jQXkLP{Q_l@_Q`{Vw*<0fN{J+t;&D|@fmpQ)j71)yaHfN;5ay$xJiQiA)6
zcKY>>qRj9|%Jv50Xk&i5SXBpu`o%yQ)<ktjLkZ4w9iCK8C&LEES}TFX*7+17^thK;
zj;;%`VR0{1E??gjCCPc@q=GhdLp3^y=IWK8+>IpB;|WG(#vVqEUjv(MDos5NiJRkx
zTx!g{jGLTlXRWHH*G;4f$Jc@|)}9lH4|}I!t+u|V(wtWhA9ULLnPQy9m?b(Ew#=l9
zO!zZ89RnCJOF=SEN08UdnYlA`ipSjT8)b~^tSTlw{q)KI?^XV%Qn4RII0{AhJYu_Q
zsFjR!SstTEu-{|^N~LhhmtLBiHo((1oPU*2WrCEfM*)jV@?o1bW6;^Qo^L!zCZp5-
zB?HsR9CJ#4!cJqe6OTmsq^FxXlPOfAs$>}})@-~G`X<TafJv4!4%*W_b5OT7j=Vka
z-S@zXr5FY2k>B#3_3{yc46onvIhCW!5ULs7!hB-#JD>e=V2pXnS{N`IJAE3ae|JA}
z@4WaC;eRh}`nE)Xo>CA8M~CHKikqg92tZH9?fz8U-=OzEMU~{DjZ=&5rDwyz6HWT5
zxZ;-mZla|Zin~}8VFfC#vG_;)A+D4ueo%3%%CE~!dz(n1@4UH*vGy^{HWJPa1{D|i
zIMjh4suT6{Ajes>E3_z4XiB=sn2W;}AUMR-2FcKNecLgYFv^0uW-VVg$9Owj&l&gh
z%VtiWa3~t{s<Xi0(=K4<&G&LxxS^NAzHHq#kqPt+8~AQ;E0m=$z|VMPFW6{k->3P?
z^8N`jURJB;+Yaim39eU5^?5(Uel}QdU~NAyD2zoe3VU)dT#)1((i*)m{;l=p6`X%Q
zE&V{)4M09ob@Bf*^9T9d^8Y%mdTBBu=?gQLXvB{Nve+)C{xWm7nk@9kLX$FMyXut>
zpqa;vCW=Jo-uuJM>mA9aeCkzy&p;H8n?o>G6-HOkvhwn2f`SGlYgkh4HbGDx&aBLC
z4WOBe|G<~K)VJh7qjkbTFE^ydF`21Kr&RpVh`abywe~^Mgr~=pWee0P{=JvqtyxU9
z8+r!o-B?;j62~>^cZeJ+3d(SOs~&K2H1t@@X~noc`|WTbb07AWW2iSgCTe=y4wIXp
zLp8d#ejv*#?(#Bi=gE#Qvs`!2>RAyy1elW5M|?bQ?Ni3XZ5mOgPj2%KX2ogOwPYrK
zz7Z>UB2m^U`dCT-XpUG}$5V1zxg<o1y8V^384b6WrS)qzwtqO{m`VqE9Na*mpPp0%
zHx&p=RsZ^jC(YEh8!dwQ%LwP_I&GnF^N^AkM=Z`n8Knk#Qhhh{WQ10U{<oBcQ`K_t
zh+SP7=W&Y7D>X~~W6B>6xg;5Q(Kb1;L49gx>^7v*oU>aoio83)Gqh5Atn=Qrj9>7Z
zx!dNkFaRGnEV|ch&5WtYn8645TAqpVCb@pK{nIOkg9p0jxjoBVsk5@B9XUN7wMeGC
zVK3W}xxgI+(|Hi}%=i7RHIZP4j_3^+OpMI?tl?;{JIoScyf1`5P2JhJTj!lLg;m&1
z34>L)eO=yZW@*Uru~<#=yf%9m+y3g?*6H0*n;xv?uH5jn5b!2ixECv@&pvt9=&MZ~
zC99*&(%VY@qyp038$$mX;~paXPVs7v6#UuS8|n>;ucUkkloO}JXjQbwEN46YVn`Ue
z`)iO)RikBI<c;K=w^r22LLSifP%=hSX=tA$(5SyEnAy^(fF)1$ZAuqhDY^U)ZURrf
zTb__`(fT63*$xu10bx8znojyfuo^%<Q*#L^aS`7h^pJ!4x#uSr6Yh#4=AtEq7J%`s
zgo!c(bQ5;T<FFP7!!i}lSR#?<)#9Z_k7$m$(uc0(>hX-<#yCL{@zZ?cS<7c%gUXOT
zbWMwr_aQA)9ydqN@D=PbO*bYnPWH<l-8~hDjPYc85Bi<$C(6bH)4c0-x8I+<4pyV+
zTi!Kqz?WSsd!xTcB@;Momox3{Z^1wISS#~W+paVV51mKXy^TW(uX6#0`fvU_w0W^=
zPu|7dlx%LcVNL2^S6XI4^eFX}bsC*)yxgZN_S-!Pm<`1i(`-c^hta^rup%3B@b~wQ
z<wkg=Hyhx=DmZQA!ddujgCaywMKVhWVFwI``>9QDMhsTuvnt=zj*aETZ4$VzMpIEy
z@R+jM?}llTvO)GMvNsf|e4kWDSB|N=HWwz~J-uiT_7{GUb?o9ook=`pTMjNnEe2!x
zQGahG5>PsTjl;n7BHsYy7bzt;Z%6U~<XnbkV7|c@$HwuVAq131lzK5$1FjX6A#V7x
zA<?t5I3={9L!~$uc;wFjcOzo7OoRyl|6yeQRUK+sso|Xb9M8E<Bc)QFCJ+zD$*x{|
z;fBL$cdm7lsaLw)>C!1zk<ErNLc7Q$5^dmm5W~E{aJzZDqW-}0Xg0M;x0-U5KSfNu
z%PQbVT$DhgIC<eUmF4(Ljr44fVg`h4KWpi<>(yJ$gC>5>i5|D;*2Lhkz}wFUn>uiT
zP~<nY+s*Xp?U7>%zD?vq=iYShvB>%sW;ye@#Rq%M<lZ_N6T}<ApU>t}#XexSL+x0@
z#_GDyUXlG+{3z@T-8yO!#9=>D(AW9_k=fv+&XC*4{tRu=zX2hX8X4n@ZcBt7>?pxQ
zWZ=&$%k)b-5|mXBl?6g<Xr3qWPB1k4dGs-<Ce++!DSGvIf~w_Jbsdp9k>`yS4RT?@
z$qxQ$70%~EsFK{?(T{kX16R>uyw43S3fN_lRCNM<!Zoc=wBK6xo(+|+KDqvSEBNKc
z5Z1C0s~hkf79RdLZq5Rq4`5TZPXZH0@zz9uU`u=lOc<j9C&OsRT4rd5wlh*f#4M6N
zPKU>E>i&ADY#QLQBff$Y3&_25O>J}}BhoHGIg~Kw<HUx)Ft)q)@k1bwLWRMVofxBs
zL)MjME7u2%N=qVsH(0Bgq<OnWT5N?y{;sng<bZyP{jgj!9}$^u%U2)kn0_3WVIfSz
zbXV6PdBCJXB4?3@grVb`<6#^%R!-twCnt=EIt5t)I0aJhbHBCnsUH^|g&C6s$qivQ
zpFCzIMl>&I*JoVSMtBT$dNz{Bhw1)SJhGcV6F;{7`)t|PzBQ?JP1t<$L6g<FO3<sd
z$YWXZ^^Bme+Yf!iK%;oMa$1mpEIV!`X2LyeO}s)1ZK}AUy4|K8yh~U-96YkF_$cyd
zu}yFwwY0uc=^TD(q`D2J9FLZwexB&?n&A4VJsoNNsHI~HC_6R8v!sDAYSoRLTd67|
zOhK2P32oc3X^>*%m*gpGeq(R+Pno`?QL>Xdt&u!npVs(pwV6qqoUe<!bHrVVpjWu2
zJ5tLl$Bt0vJKvX4?d?*IE3#CB%~E~tQcy(xe~woAdoUCrAFI3o=KcNz%olmTxG%mA
zXR4;1I*~1KE|3O_Q9K#n6G&&{PH9-AiI4-}-;p1=XfJUCqc8Li2OI6QO4RdxHRFuS
z@t&}`P=0JSmb0qVbfabD7qt$nGIusGhFM>8uLpSd5oq0Ni(D(0AgK?5#i6aLFL!2O
z$wPYW^Pab|Xjw*MyKR4D5nD_B7F}!ch~YN#wuH=^Z(Eto)c$u{^G9}S%eh}>@mK#S
zm*9QdA6z_^us2cez0RCBry(MZDB6!Ep7&c}@;0_elN#*47IMVH^TK55<~}w5gtb@)
z7IjDT9EK?Wx^u@Lp@-_pT`M`3mOZ~O(6;+srO|p$ZsFwo4X?*Oz%8&!nAM`Yy$o&H
zkTk$;+^}ROYL71UZdZH(<AN0lAd2xsVam+-9gh~-R+RksQ0Gdc=18bYAGP_eDtys{
z{+WSP-r8$}&XA2BgCid5UJZ__6;-UZ2KzIA>A-xcWJmO<s(&^*LbDH@^HoDYIfF01
zYC7TSAQkTdNmYRGbrz{=RBTFja_8m0F+BZBm@&^qr6wpo_LoYHJ|^683#`;Q!!rT+
zw#1E#NT%sRRqufl0<ey_q>9Iq5h<f}zoD`@{j)9-UetY36hu%S^#di@+3#jiiE=Mt
z#B_IXJr%r6%`3eg=T)!#TMz@6<T6;PIi*YSJMV_YwN}zgaBVf+kN)W8aH2B47FRj5
zMZtGhk3XZ*u52nc&qU(s1Lum5gsN8}W8bN)9cACuG9wuF*s~Dte(ZK<a&7yGS6=p1
z<Aaq0%5gX~==8mKtFN8IbKiccymgWn>XTu!vMebhOmM|vaCKEomVVzSX?AM&utm=~
z%xdlVofhVoVo#gRHiE@%<OC*4reyUNaWQp?jGlAX$*+lT%dLgrY{~f=^5DymLt9oA
z_4|wVJGA{1$Xeo4R(IO5mTa4ygxZ&ne;*Y=(iM&H*~ThtK9Qs8Oz0F`Z5OJdU{V|%
zvtm_`rj}rTmZY3GpiX{6bFZh$oRs5rGOCdGSu#4Bae$Q5aa=3D^gpN9|5-LHZK(hu
zWrIkq6`Q=aJi#Hl<!2SG&M=Q-AD*jk=Sd7^B5KbJ?R_tznr2M6+phRm-HY7Mp}G@x
z<YZo{R1!;koxKCBqHSOI@8W#md^M%EcSIw+92AA}p)@aF2dijB{*)6^*<-MZ_6V5a
zzQW~KFthoNw^sMVodLsnvz(<spUh$PjTEJ`D4m=Ux6fuIqNQAE6R2G&dQn!lx*0$;
zIMX}c12b>2AFNY{PgA+z@@0n9Su16@bK?jg6VNNy|B97tmQ}OXh^$zXXvT8AFKk;o
z3`P3L{{DV={b=D6N#Og?!o$1nXLB_J>ZkHV?E1Ea8V=$64Fa(^(JgTuSiE+k_Xm@0
z<gt8F^1heDcdq%MXh@z__M4ElZmcR$q4l3A5p+?wGvn88It;+OdZksMQU)R(%+C#w
z(wjZWgb;eUQs_Bcu?iOQwojP)Hdl4BXD(qsY%qN5@4VZ_FI(XwoCm^K<Nl3m*ly~>
zO06zO4E)Oa(sjP+A1vU=u;q?`hQ&o3r*<#jO&%944yB6n0fM7K*$a8trDTtNbhs!E
z4V_6-0r?u!C8J{_*=W#KUZ^uVNiGORSYb_?X8jL2YHc=5C1&6LFl<+?6weBM!w^(e
z>A9B^VndfU=<HaxIwmEMJL2l(=S3}CfGk~h%v>{a;7DQfutQEAoIBNxd=q0h?cO^^
z&$+Eco$ff8b)mg$Px$pXaznm)*5#ZP%GtP1ZU!cu)|tq>$7)x8yekmd@vUIzW{Zzn
zt<^%4Pjg<pTvM0UmQT|Sc-@}wyjaDPQ%HdT6160r$WC_Dro}$EDnYJ{ASxukrUg+<
z>?i(F6;GV=xkJ!VBw6uo@-{^mAx3kggF>77KnVU$a$Q--)AC_AnbO{R_vR1Pbj&O1
zP&ySal;?J*A>-nSEdMGOm)bjCDUN=!5b@QH{!|6(zfJw5{+&5UKokBY6s1<-2JKos
zwx5{;dR#gp2Oy_vsM%wck_X^B61%ik(0c|iQ1!88Q0)>0SL!QV7X^~eiw{{f?F}H*
zWKYvX{jS-m>K#9AgUDy7WS+(44c@fzHG?XvMdM%)YGSXmyexLeyiKI}+HO<dv>IQC
zv8%_FK@d3SPa1T#GszhfBh4ML+Rmo;(tQ~APRCF3$#{Yp(R-tt$5PHsHcvl#yO}cP
ztx%-cI{6<j-(83{`($}*o=i+2_xiMl1m+B#P|&%&Yj582!3L4Q7O*E7k4-n2co!J*
zsa}tVU|{o@qj@+@X|!=SG)zDK?3j=BjW03fah<>*Ze&ZM<ehzKjRieCMe<nAS%vt3
z1)^so+Jf2gaRuR@<;iDMC^{c2OHOrQPc-j$7?>LnH&%*RF?1)D^3Y2rrSi~r_ffUP
zVy=!Ee(tH_i{p4kA!S3-Tk^NX&}ArHOg9Mj&ExzL^#32Q?~?qWJRuS2rf3p|z9H+i
zf1&`6Fh({Y0(4Wh)ye>Hu2*;g_7xg~641CD%Xpo=`f3rfl;)UIG1RF>=gT}oyCK2{
zfUg@*{{i+n(Kd}`e`>9t!PaWY!bzzz^PK}Mr5^^w^`bm()8Fh3OC8jDCEn=m%w<>n
zbo+zn)daPW_sTo8GP<=IB@+(2)8gs6@$w&)um?;nOOb_hcGZC_FoB@-FI#p^q}~H*
zeM<q`>HKt>L9IWm@5p5CkTkqo`+hikD(%pRw=j>{dfW5zeMk50le???Q8L>{Hg_35
zy{#xcX-?<_s$}1$oI<L}d4(VfBubtY(parv{6e_r<+8T5jtOY{k1^_gg~XK?u;!6P
z72-}I$&%CNkyKP|$7(E+uEgMRAw&108GfctcU~Vz*XWmWgwU(b`{}*$s7Ma<KcH4@
z5wQR{MSaah5LcM@XZQ)Xs>uJe0gj(GkXi;6$<ei~CK}rdy%y2Nvjd`5mqZH;9jg0{
zM045D$ZypBX<*tF%jRIv-)t0N1He~}rnx91oodYO1`)PEgwJbKX$AtlQgAcT5=+-W
z>RcP%qPK7hdPWD0N}SrHZ@hU-5c|}+ib4G5+;3!kPFwUVOYTlt!!EDPnK_5~3o}e6
zX%Q?1JjD}$2m+xR0I5lFe;s++9i`Shui_PpxY-feP-$A16CB@RRlQ_*dzSvC9C6r+
z)Bb7RBCpqMf_H;8afY7O$d+4SUgmzml-t_zNuE!tSoy=F;g%=g>6Yw2*FT4zL}PS3
z@iDT3QuU{8>b&c#3NJkAhh#=#=&|j+j>KO(c+pg3_2f8n5M@G7Udm_sPioG(2t$Nu
z+j<u&=#@sLU58XQ8%aoe)Gbl{s>6fI3u-0Gk?dvfq!Wh<_(GBh`uvW0xTGltGp=a3
zGydn${RaU4Fx<i5(M3TTQ^_e0IZ0Ol0dPBm{69m5cx;uMSdQAFHW6ob00@9P>HiEB
zXhYlg?na`%;UxfkSMsK@2jX{K?(5n8_!yvsjW=Bacm0lBmARL}5!cIEpF%-zc^tg)
z&q0qS-Ho)m@UueW$2TZ{Pr+XfZ2Mw6QJQs5lTbJ9&mfIfBZ*>j@-uehFS!16#G>K|
z@lf~>J*Hn}p6e`&iKs-~tP5E@cBz|DetnFfUFs?7@u@e=wSmVu%zmohD}NcBG2FHl
zXhj?ZeK8TU8O+=W*9x8~+r_X*1X>UEZy8EkKXqh%y>_4}HOE*{vAl73x@_Y!QT*ww
zm9TmnXeoV+z_|_=R^3q`zIKR@fuCF=dREDF`LxlM4^Hx;{39G+DMp%=yoo$jgDM=>
zxH8y9!oEvWw&~7{$CHHXxY9Z#?Y-7HI-^7*M6s;}tEPBd!FY+H=6+45zeWDv<hFly
zA?)Sp7v2BtLR^CIJOohzQx6;~@|1k8l%FWg{eesXa)Hu-*ctNHFYFAJN-6>oDjfUM
zF{yn+_U$@@T?j?jS_FvFuodOIZ9SH$o%N}=^wz%<akdtKv35+C0z(7Rc3z(HIo>&G
zRHwZUoka^Tb3%&)2v6?eMMkE5y=I143gocJOW6J>6|bgIJO=QKHl!DWT?o{xsMGlI
zwxVfoKQqs6x|?t2eeIfL>1Z?R7yNxB8>4u0hr3*Po5|4ANgr0tf--f7gPM_Ff=&#r
z-y{r~E?G#Qy>XQ5SUXU|ykRZmxNWg?8fJNx{&?^Fc|r~ZQbIO;4Mzd?V-C0Nk^evG
z?H`RB2`DST#%VD1m&T0%I~Y6vC<nmCjiD<OWzet2jjC)!V(<5wpNMXpHaAl9!G$kZ
z<$0Zb(YQ$+UA~6EOCNG68Y^-+RsoMJ-FTf2Y}{nFVE{t9rq_F?-mi@W4y3uxzFstL
z41zmwf!1Er&D+vw^TJ@Z3;g?Kkc?Reh<{64#T25)EQR+6C(n@;llmf3%thnVaXpJS
zj=dHuOtQwYw=5;BhogHIjp`Wi@wHMq=9a2+&Wer2x_<-)n*<ME%bl)XpKpjyZ)*Ft
zquj*u)TQ=jedIpIdRc6^ukGk=nEsp%_T;=6eh-Fa!#;^Wz8;?g!E1XIaE#wh9uo~=
zt7K<}a*uR$w_Nh+<brn+KL78}@-L;;|24t>xAyZ02?1*048R2-z^@PF7Y`0V{=(xx
zpx`V3fUy7o6yz`F<AH?#i^l<Z3UEFxc%=sC(EJ*|SVQ}39~j8f{hH$m&S8Y${oJP$
z<PpF4L6B$qwf5paF8^hJAqWmY0gjD<b7cN9Zul3T+yL@(&x^Gb2LFC9%D?d7Er9S}
zUjTRy{>}pzw1F>yg#v&f_+sDj0pJ!P07wvnH^B$5A_V|lH~@Si2Y>)d0NAAhfFK$G
zAff|+czSRx0|1aB0ALcN0ww?$0GC}52e|K5kQ_it2PqMxHjsKissbqoq>HgMkna7W
uWbpa`q-!8)gY@TK{uhrD1OdK-&-mw6!O_RwiA}@H&c(^l$<FaM0Q?ui{p<1o

literal 0
HcmV?d00001

diff --git a/spec/lib/upload_creator_spec.rb b/spec/lib/upload_creator_spec.rb
index b2df27603e..6e796ea36f 100644
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@@ -79,12 +79,12 @@ RSpec.describe UploadCreator do
         expect(upload.original_filename).to eq('png_as.png')
       end
 
-      describe 'for webp format' do
+      describe 'for tiff format' do
         before do
-          SiteSetting.authorized_extensions = '.webp|.bin'
+          SiteSetting.authorized_extensions = '.tiff|.bin'
         end
 
-        let(:filename) { "webp_as.bin" }
+        let(:filename) { "tiff_as.bin" }
         let(:file) { file_from_fixtures(filename) }
 
         it 'should not correct the coerce filename' do
@@ -96,7 +96,7 @@ RSpec.describe UploadCreator do
 
           expect(upload.extension).to eq('bin')
           expect(File.extname(upload.url)).to eq('.bin')
-          expect(upload.original_filename).to eq('webp_as.bin')
+          expect(upload.original_filename).to eq('tiff_as.bin')
         end
       end
     end
diff --git a/test/javascripts/lib/uploads-test.js.es6 b/test/javascripts/lib/uploads-test.js.es6
index 1dbf5fde3f..0dfc71a4d7 100644
--- a/test/javascripts/lib/uploads-test.js.es6
+++ b/test/javascripts/lib/uploads-test.js.es6
@@ -123,7 +123,7 @@ QUnit.test("allows valid uploads to go through", assert => {
 });
 
 QUnit.test("isImage", assert => {
-  ["png", "jpg", "jpeg", "gif", "ico"].forEach(extension => {
+  ["png", "webp", "jpg", "jpeg", "gif", "ico"].forEach(extension => {
     var image = "image." + extension;
     assert.ok(isImage(image), image + " is recognized as an image");
     assert.ok(