diff --git a/composer.json b/composer.json
index d5feaf8c..82326ce4 100644
--- a/composer.json
+++ b/composer.json
@@ -43,12 +43,13 @@
"ext-curl": "*",
"ext-json": "*",
"ext-openssl": "*",
+ "ext-fileinfo": "*",
"phpmailer/phpmailer": "~6.0",
"monolog/monolog": "^1.24",
"robthree/twofactorauth": "^1.6",
"froxlor/idna-convert-legacy": "^2.1",
"voku/anti-xss": "^4.1"
- },
+ },
"require-dev": {
"phpunit/phpunit": "^9",
"php": ">=7.3",
diff --git a/lib/Froxlor/Settings/Store.php b/lib/Froxlor/Settings/Store.php
index c1131644..69e365fa 100644
--- a/lib/Froxlor/Settings/Store.php
+++ b/lib/Froxlor/Settings/Store.php
@@ -388,6 +388,11 @@ class Store
}
}
+ // Make sure mime-type matches an image
+ if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) {
+ throw new \Exception("Uploaded file not a valid image");
+ }
+
// Determine file extension
$spl = explode('.', $_FILES[$fieldname]['name']);
$file_extension = strtolower(array_pop($spl));
diff --git a/templates/Sparkle/formfields/image.tpl b/templates/Sparkle/formfields/image.tpl
index 2c72f8dd..1a880c44 100644
--- a/templates/Sparkle/formfields/image.tpl
+++ b/templates/Sparkle/formfields/image.tpl
@@ -6,6 +6,6 @@
{$lng['panel']['image_field_delete']}
- disabled="disabled" type="file" class="file" name="{$fieldname}" accept=".jpg, .jpeg, .png" />
+ disabled="disabled" type="file" class="file" name="{$fieldname}" accept="image/jpeg, image/jpg, image/png, image/gif" />