From 3b9396c178ce4dc4d28ed2b7d3a6cbae634c5f64 Mon Sep 17 00:00:00 2001
From: Mahmoud Al-Qudsi <mqudsi@neosmart.net>
Date: Fri, 14 Feb 2020 18:08:05 -0600
Subject: [PATCH] Allow mime types to match based off of class

The old behavior prevented simple file types like `text/plain` from
being uploaded since browsers upload them with the charset as well (e.g.
`text/plain charset=utf-8`) without specifying all possible charsets.

Additionally, this allows for blanket includes like `text/*` or
`image/*` by class type.
---
 modules/upload/filetype.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/upload/filetype.go b/modules/upload/filetype.go
index 2ab326d11690f..a71a6a0b8e3d8 100644
--- a/modules/upload/filetype.go
+++ b/modules/upload/filetype.go
@@ -34,9 +34,13 @@ func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
 	for _, t := range allowedTypes {
 		t := strings.Trim(t, " ")
 
-		if t == "*/*" || t == fileType ||
+		if t == fileType ||
+			// Allow wildcard */* to match all mime types
+			t == "*/*" ||
 			// Allow directives after type, like 'text/plain; charset=utf-8'
-			strings.HasPrefix(fileType, t+";") {
+			strings.HasPrefix(fileType, t+";") ||
+			// Allow a class whitelist, like 'image/*'
+			(strings.HasSuffix(t, "/*") && strings.HasPrefix(fileType, strings.TrimRight(t, "*"))) {
 			return nil
 		}
 	}