From e7d9b4609774934c462ec9f31fdc870b92fc5e43 Mon Sep 17 00:00:00 2001
From: Joao Victor <joaov@imdt.com.br>
Date: Tue, 31 May 2022 16:32:58 -0300
Subject: [PATCH] fix: add some file sanitization

---
 .../video-preview/virtual-background/component.jsx       | 9 ++++++++-
 .../video-list/video-list-item/component.jsx             | 6 +++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/bigbluebutton-html5/imports/ui/components/video-preview/virtual-background/component.jsx b/bigbluebutton-html5/imports/ui/components/video-preview/virtual-background/component.jsx
index d6225c2629..20d8cc8bd0 100644
--- a/bigbluebutton-html5/imports/ui/components/video-preview/virtual-background/component.jsx
+++ b/bigbluebutton-html5/imports/ui/components/video-preview/virtual-background/component.jsx
@@ -76,6 +76,8 @@ const intlMessages = defineMessages({
   }, {})
 });
 
+const MAX_FILE_SIZE = 5000;
+
 const VirtualBgSelector = ({
   intl,
   handleVirtualBgSelected,
@@ -159,7 +161,11 @@ const VirtualBgSelector = ({
 
   const handleCustomBgChange = (event) => {
     const file = event.target.files[0];
-    const { name: filename } = file;
+    const { name: filename, size } = file;
+    const sizeInKB = size / 1024;
+
+    if (sizeInKB > MAX_FILE_SIZE) return;
+
     const reader = new FileReader();
     const substrings = filename.split('.');
     substrings.pop();
@@ -340,6 +346,7 @@ const VirtualBgSelector = ({
                 id="customBgSelector"
                 onChange={handleCustomBgChange}
                 style={{ display: 'none' }}
+                accept="image/png, image/jpeg"
               />
               <div aria-hidden className="sr-only" id={`vr-cam-btn-custom`}>
                 {intl.formatMessage(intlMessages.customLabel)}
diff --git a/bigbluebutton-html5/imports/ui/components/video-provider/video-list/video-list-item/component.jsx b/bigbluebutton-html5/imports/ui/components/video-provider/video-list/video-list-item/component.jsx
index 9c5e3ff6df..dd622fa13f 100755
--- a/bigbluebutton-html5/imports/ui/components/video-provider/video-list/video-list-item/component.jsx
+++ b/bigbluebutton-html5/imports/ui/components/video-provider/video-list/video-list-item/component.jsx
@@ -33,6 +33,8 @@ const intlMessages = defineMessages({
 });
 
 const VIDEO_CONTAINER_WIDTH_BOUND = 125;
+const MIME_TYPES_ALLOWED = ['image/png', 'image/jpeg'];
+const MAX_FILE_SIZE = 5000; // KBytes
 
 const VideoListItem = (props) => {
   const {
@@ -279,8 +281,10 @@ const VideoListItem = (props) => {
 
     const { files } = e.dataTransfer;
     const file = files[0];
+    const { size, type } = file;
+    const sizeInKB = size / 1024;
 
-    if (!file.type.startsWith('image')) return;
+    if (sizeInKB > MAX_FILE_SIZE || !MIME_TYPES_ALLOWED.includes(type)) return;
 
     if (Session.get('skipBackgroundDropConfirmation')) {
       return startAndSaveVirtualBackground(file);