From 1ac14a466e66539f101775963351d3abb63a3184 Mon Sep 17 00:00:00 2001
From: Peter Jaszkowiak <p.jaszkow@gmail.com>
Date: Mon, 24 Apr 2017 11:22:38 -0600
Subject: [PATCH] Reject non-audio upload requests to the sounds route

---
 src/controllers/admin/uploads.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/controllers/admin/uploads.js b/src/controllers/admin/uploads.js
index 02bd065c0b..4280a2793b 100644
--- a/src/controllers/admin/uploads.js
+++ b/src/controllers/admin/uploads.js
@@ -5,6 +5,7 @@ var path = require('path');
 var async = require('async');
 var nconf = require('nconf');
 var winston = require('winston');
+var mime = require('mime');
 
 var meta = require('../../meta');
 var file = require('../../file');
@@ -102,6 +103,11 @@ uploadsController.uploadLogo = function (req, res, next) {
 uploadsController.uploadSound = function (req, res, next) {
 	var uploadedFile = req.files.files[0];
 
+	var mimeType = mime.lookup(uploadedFile.name);
+	if (!/^audio\//.test(mimeType)) {
+		return next(Error('[[error:invalid-data]]'));
+	}
+
 	file.saveFileToLocal(uploadedFile.name, 'sounds', uploadedFile.path, function (err) {
 		if (err) {
 			return next(err);