From 1010bbf2ce905932f1fcece326468842c14902ea Mon Sep 17 00:00:00 2001
From: David Battersby <info@davidbattersby.com>
Date: Fri, 22 Dec 2023 17:59:53 +0800
Subject: [PATCH] FIX: whitelist uploads before creating thumbnail variants
 (#25013)

Only attempt to create thumbnails for whitelisted upload extensions.
---
 plugins/chat/lib/chat/message_processor.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/plugins/chat/lib/chat/message_processor.rb b/plugins/chat/lib/chat/message_processor.rb
index 0ddadd13d00..74658ffde99 100644
--- a/plugins/chat/lib/chat/message_processor.rb
+++ b/plugins/chat/lib/chat/message_processor.rb
@@ -3,6 +3,7 @@
 module Chat
   class MessageProcessor
     include ::CookedProcessorMixin
+    IMG_FILETYPES = %w[jpg jpeg gif png heic heif webp]
 
     def initialize(chat_message, opts = {})
       @model = chat_message
@@ -22,7 +23,11 @@ module Chat
     end
 
     def process_thumbnails
+      return if !SiteSetting.create_thumbnails
+
       @model.uploads.each do |upload|
+        next if upload.blank? || IMG_FILETYPES.exclude?(upload.extension.downcase)
+
         if upload.width <= SiteSetting.max_image_width &&
              upload.height <= SiteSetting.max_image_height
           return false