fix: code cleanup and improved code from 4.2

Author: thorsten

phpmyfaq/assets/templates/admin/login.twig

@@ -33,7 +33,6 @@
                   </div>
                   <div class="card-body">
                     <form action="{{ loginUrl }}" method="post" accept-charset="utf-8" role="form">
-                      <input type="hidden" name="redirect-action" value="{{ redirectAction }}">
                       <div class="form-floating mb-3">
                         <input class="form-control" id="faqusername" name="faqusername" type="text"
                                placeholder="{{ msgUsername }}">

phpmyfaq/assets/templates/admin/user/twofactor.twig

@@ -25,7 +25,6 @@
                     <form action="{{ systemUri }}admin/check" method="post"
                           accept-charset="utf-8" role="form" class="pmf-form-login">
                       <input type="hidden" name="user-id" id="user-id" value="{{ userId }}">
-                      <input type="hidden" name="redirect-action" value="{{ redirectAction }}">
                       <div class="form-group">
                         <label for="token">{{ msgEnterTwofactorToken }}</label>
                         <div class="col-4 mx-auto my-2">

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ImageController.php

@@ -32,6 +32,17 @@
 
 final class ImageController extends AbstractController
 {
+    private const array ALLOWED_MIME_TYPES = [
+        'gif' => 'image/gif',
+        'jpg' => 'image/jpeg',
+        'jpeg' => 'image/jpeg',
+        'png' => 'image/png',
+        'webp' => 'image/webp',
+        'mov' => 'video/quicktime',
+        'mp4' => 'video/mp4',
+        'webm' => 'video/webm',
+    ];
+
     /**
      * @throws Exception|\Exception
      */
@@ -43,7 +54,7 @@ public function upload(Request $request): JsonResponse
         $session = $this->container->get(id: 'session');
 
         $uploadDir = PMF_CONTENT_DIR . '/user/images/';
-        $validFileExtensions = ['gif', 'jpg', 'jpeg', 'png', 'webp', 'mov', 'mp4', 'webm'];
+        $validFileExtensions = array_keys(self::ALLOWED_MIME_TYPES);
         $timestamp = time();
 
         if (!Token::getInstance($session)->verifyToken('pmf-csrf-token', $request->query->get('csrf'))) {
@@ -93,11 +104,34 @@ public function upload(Request $request): JsonResponse
                     );
                 }
 
-                // Accept upload if there was no origin, or if it is an accepted origin
+                // Accept upload if there was no origin or if it is an accepted origin
                 $fileName = $timestamp . '_' . $file->getClientOriginalName();
                 $fileName = str_replace(' ', '_', $fileName);
                 $file->move($uploadDir, $fileName);
 
+                $filePath = $uploadDir . $fileName;
+                $fileExtension = strtolower((string) $file->getClientOriginalExtension());
+
+                // Validate actual MIME type matches the claimed extension
+                $detectedMime = mime_content_type($filePath);
+                $expectedMime = self::ALLOWED_MIME_TYPES[$fileExtension] ?? null;
+
+                if ($detectedMime === false || $expectedMime === null || $detectedMime !== $expectedMime) {
+                    if (file_exists($filePath)) {
+                        unlink($filePath);
+                    }
+
+                    return $this->json(
+                        [
+                            'success' => false,
+                            'data' => ['code' => Response::HTTP_BAD_REQUEST],
+                            'messages' => ['File content does not match the file extension'],
+                        ],
+                        Response::HTTP_BAD_REQUEST,
+                        $headers,
+                    );
+                }
+
                 // Add to the list of uploaded files
                 $uploadedFiles[] = $fileName;
             }

phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php

@@ -106,7 +106,6 @@ public function login(Request $request): Response
             'isLogout' => $request->query->get(key: 'action') === 'logout',
             'logoutMessage' => Translation::get(key: 'ad_logout'),
             'loginUrl' => $this->configuration->getDefaultUrl() . 'admin/authenticate',
-            'redirectAction' => $request->query->get(key: 'action') ?? '',
             'msgUsername' => Translation::get(key: 'ad_auth_user'),
             'msgPassword' => Translation::get(key: 'ad_auth_passwd'),
             'msgRememberMe' => Translation::get(key: 'rememberMe'),