check mime types

composer.json

@@ -43,12 +43,13 @@
 		"ext-curl": "*",
 		"ext-json": "*",
 		"ext-openssl": "*",
+		"ext-fileinfo": "*",
 		"phpmailer/phpmailer": "~6.0",
 		"monolog/monolog": "^1.24",
 		"robthree/twofactorauth": "^1.6",
 		"froxlor/idna-convert-legacy": "^2.1",
 		"voku/anti-xss": "^4.1"
-	},
+    },
 	"require-dev": {
 		"phpunit/phpunit": "^9",
 		"php": ">=7.3",

lib/Froxlor/Settings/Store.php

@@ -388,6 +388,11 @@ class Store
                     }
                 }
 
+                // Make sure mime-type matches an image
+                if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), ['image/jpeg','image/jpg','image/png','image/gif'])) {
+                    throw new \Exception("Uploaded file not a valid image");
+                }
+
                 // Determine file extension
                 $spl = explode('.', $_FILES[$fieldname]['name']);
                 $file_extension = strtolower(array_pop($spl));

templates/Sparkle/formfields/image.tpl

@@ -6,6 +6,6 @@
 			<input type="checkbox" value="1" name="{$fieldname}_delete" /> {$lng['panel']['image_field_delete']}
 			<br><br>
 		</if>
-		<input <if $do_show == 0>disabled="disabled"</if> type="file" class="file" name="{$fieldname}" accept=".jpg, .jpeg, .png" />
+		<input <if $do_show == 0>disabled="disabled"</if> type="file" class="file" name="{$fieldname}" accept="image/jpeg, image/jpg, image/png, image/gif" />
 	</td>
 </tr>