[IMPROVE] Add asset extension validation (#15088)

app/assets/server/assets.js

@@ -490,6 +490,10 @@ WebApp.connectHandlers.use('/assets/', Meteor.bindEnvironment(function(req, res,
 
 	const format = req.url.replace(/.*\.([a-z]+)$/, '$1');
 
+	if (assets[params.asset] && Array.isArray(assets[params.asset].constraints.extensions) && !assets[params.asset].constraints.extensions.includes(format)) {
+		res.writeHead(403);
+		return res.end();
+	}
 	if (!file) {
 		const defaultUrl = assets[params.asset] && assets[params.asset].defaultUrl;
 		if (defaultUrl) {

app/lib/server/startup/settings.js

@@ -1269,7 +1269,7 @@ settings.addGroup('Layout', function() {
 			multiline: true,
 			public: true,
 		});
-		return this.add('Layout_Sidenav_Footer', '<a href="/home"><img src="assets/logo"/></a>', {
+		return this.add('Layout_Sidenav_Footer', '<a href="/home"><img src="assets/logo.png"/></a>', {
 			type: 'code',
 			code: 'text/html',
 			public: true,

server/startup/migrations/index.js

@@ -148,4 +148,5 @@ import './v147';
 import './v148';
 import './v149';
 import './v150';
+import './v151';
 import './xrun';

server/startup/migrations/v151.js

@@ -0,0 +1,14 @@
+import { Migrations } from '../../../app/migrations';
+import { Settings } from '../../../app/models';
+
+Migrations.add({
+	version: 151,
+	up() {
+		const setting = Settings.findOne({ _id: 'Layout_Sidenav_Footer' });
+		if (setting && setting.value) {
+			if (setting.value === '<a href="/home"><img src="assets/logo"/></a>') {
+				Settings.update({ _id: 'Layout_Sidenav_Footer' }, { $set: { value: '<a href="/home"><img src="assets/logo.png"/></a>' } });
+			}
+		}
+	},
+});