Enhance file handling and MIME type validation 🎉

- Added MIME type constants for better image type handling in `lhmailconvparser.php` 🖼️
- Improved inline download logic in `inlinedownload.php` to check for supported image types before disposition 🖼️
- Updated download logic in `downloadfile.php` to handle inline and attachment cases more robustly 📥
- Enhanced REST API file handling in `file.php` to validate MIME types and provide appropriate responses for unsupported types 🚫

Author: remdex

lhc_web/lib/core/lhmailconv/lhmailconvparser.php

@@ -3,6 +3,7 @@
 class erLhcoreClassMailconvParser {
 
     const IMAGE_EXTENSIONS = ['png','bmp','gif','jfif','jpg','jpeg','webp','heic'];
+    const IMAGE_MIME_TYPES = ['image/png','image/bmp','image/gif','image/jpeg','image/webp','image/heic'];
 
     public static function getRawConnection($mailbox)
     {

lhc_web/modules/lhfile/downloadfile.php

@@ -157,7 +157,7 @@
 
         if (!(isset($_GET['modal']) && $_GET['modal'] === 'true')) {
             header('Content-type: '.$file->type);
-            if (!isset($Params['user_parameters_unordered']['inline']) || $Params['user_parameters_unordered']['inline'] != 'true') {
+            if (!isset($Params['user_parameters_unordered']['inline']) || $Params['user_parameters_unordered']['inline'] != 'true' || (isset($Params['user_parameters_unordered']['inline']) && $Params['user_parameters_unordered']['inline'] === 'true' && !in_array($file->type,['image/png','image/bmp','image/gif','image/jpeg','image/webp','image/heic']))) {
                 // Download with file name
                 header('Content-Disposition: attachment; filename="'.$file->id.'-'.pathinfo($file->upload_name, PATHINFO_FILENAME).'.'.$file->extension.'"');
                 header('Referrer-Policy: no-referrer');
@@ -169,8 +169,7 @@
             }
         }
 
-		$response = erLhcoreClassChatEventDispatcher::getInstance()->dispatch('file.download', array('chat_file' => $file));
-
+        $response = erLhcoreClassChatEventDispatcher::getInstance()->dispatch('file.download', array('chat_file' => $file));
 
         if (isset($_GET['modal']) && $_GET['modal'] === 'true') {
 

lhc_web/modules/lhmailconv/inlinedownload.php

@@ -13,7 +13,9 @@
         }
     }
 
-    if ($file->disposition != 'INLINE') {
+    $inlineSupported = in_array($file->extension, erLhcoreClassMailconvParser::IMAGE_EXTENSIONS) && in_array(explode(';',$file->type)[0], erLhcoreClassMailconvParser::IMAGE_MIME_TYPES);
+
+   if ($inlineSupported === true && $file->disposition != 'INLINE') {
         $mcOptions = erLhcoreClassModelChatConfig::fetch('mailconv_options');
         $mcOptionsData = (array)$mcOptions->data;
         if ($file->extension === 'jpg' && !str_ends_with($file->name, '.jpg')) {
@@ -177,6 +179,11 @@
         header('X-Content-Type-Options: nosniff');
         header('Referrer-Policy: no-referrer');
         header("Cache-Control: private, max-age=3600");
+
+        if ($inlineSupported === false) {
+            header('Content-Disposition: attachment; filename="'.$file->name.'"');
+        }
+
         echo file_get_contents($file->file_path_server);
     } else {
         echo file_get_contents('design/defaulttheme/images/general/denied.png');

lhc_web/modules/lhrestapi/file.php

@@ -96,7 +96,17 @@
             $response = erLhcoreClassChatEventDispatcher::getInstance()->dispatch('file.download', array('chat_file' => $file));
 
             // There was no callbacks or file not found etc, we try to download from standard location
-            if ($response === false) {
+            if ($response === false && str_starts_with($file->file_path_server, 'var/')) {
+                if (\erLhcoreClassChatWebhookIncoming::getExtensionByMime($file->extension, true) != $file->type) {
+                    if (in_array($file->extension,['jpg','jpeg','png'])) {
+                        $denyImage = 'design/defaulttheme/images/general/denied.png';
+                        header('Content-type: image/png; charset=binary');
+                        echo file_get_contents($denyImage);
+                        exit;
+                    } else {
+                        exit('Mime type does not match!');
+                    }
+                }
                 echo file_get_contents($file->file_path_server);
             } else {
                 echo $response['filedata'];