Added MIME Type filter for file uploads to prevent dangerous uploads.

model/file/file.go

@@ -100,6 +100,10 @@ func Insert(name, kind, mimeType, author string, time time.Time, size int64, url
 
 // Upload adds a file to the space.
 func Upload(ctx context.Context, name, mimeType, author string, size int64, input io.Reader) (File, error) {
+	if !allowdMimeTypes[mimeType] {
+		return File{}, errors.New("File type not allowed:" + mimeType)
+	}
+
 	if name == "" {
 		date := time.Now().UTC().Format("Jan 02 2006 15:04:05 MST")
 		name = "Unnamed file (" + date + ")"
@@ -233,3 +237,16 @@ func init() {
 		fileCollection.EnsureIndexKey("kind")
 	})
 }
+
+var allowdMimeTypes = map[string]bool{
+	"":                    false,
+	"image/jpeg":          true,
+	"image/png":           true,
+	"image/gif":           true,
+	"text/plain":          true,
+	"application/json":    true,
+	"application/pdf":     false,
+	"binary/octet-stream": false,
+	"video/mp4":           false,
+	"audio/mp3":           false,
+}