+5

internal/ui/model.go

reviewed

··· 3478 3478 // isMimeMismatch returns true if the file extension claims to be a safe type 3479 3479 // but magic-byte detection says otherwise (e.g. a script disguised as .png). 3480 3480 func isMimeMismatch(ext, detected string) bool { 3481 3481 + // SVG is XML-based, so DetectContentType returns text/xml, text/plain, or 3482 3482 + // text/html — all valid for real SVGs. Only flag binary content as suspicious. 3483 3483 + if ext == ".svg" { 3484 3484 + return !strings.HasPrefix(detected, "text/") && !strings.HasPrefix(detected, "image/") 3485 3485 + } 3481 3486 expected, ok := expectedMimePrefix[ext] 3482 3487 if !ok { 3483 3488 return false // unknown extension — can't validate, let it through

+8

internal/ui/model_test.go

reviewed

··· 641 641 {"real mp3", ".mp3", "audio/mpeg", false}, 642 642 {"real mp4", ".mp4", "video/mp4", false}, 643 643 644 644 + // SVG — XML/text-based types are valid, binary is suspicious 645 645 + {"real svg as text/xml", ".svg", "text/xml; charset=utf-8", false}, 646 646 + {"real svg as text/plain", ".svg", "text/plain; charset=utf-8", false}, 647 647 + {"real svg as text/html", ".svg", "text/html; charset=utf-8", false}, 648 648 + {"real svg as image/svg+xml", ".svg", "image/svg+xml", false}, 649 649 + {"binary disguised as svg", ".svg", "application/octet-stream", true}, 650 650 + {"zip disguised as svg", ".svg", "application/zip", true}, 651 651 + 644 652 // Unknown extensions — can't validate, should pass through 645 653 {"unknown ext .xyz", ".xyz", "text/plain; charset=utf-8", false}, 646 654 {"unknown ext .foo", ".foo", "application/octet-stream", false},