From cdd30731b6e88d1519de6cf12b31fd3bed4dd5d1 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Sun, 19 Feb 2023 19:17:13 +0000
Subject: [PATCH] Only accept application/x-xz compression for the metadata
 payload

Fixes some of https://github.com/fwupd/fwupd/issues/5553
---
 src/fu-engine.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/fu-engine.c b/src/fu-engine.c
index 0a956f6d6..c01f864a0 100644
--- a/src/fu-engine.c
+++ b/src/fu-engine.c
@@ -4946,6 +4946,7 @@ fu_engine_update_metadata_bytes(FuEngine *self,
 	FwupdKeyringKind keyring_kind;
 	FwupdRemote *remote;
 	JcatVerifyFlags jcat_flags = JCAT_VERIFY_FLAG_REQUIRE_SIGNATURE;
+	g_autofree gchar *content_type = NULL;
 	g_autoptr(JcatFile) jcat_file = jcat_file_new();
 
 	g_return_val_if_fail(FU_IS_ENGINE(self), FALSE);
@@ -4973,6 +4974,20 @@ fu_engine_update_metadata_bytes(FuEngine *self,
 		return FALSE;
 	}
 
+	/* check for xz payload */
+	content_type = g_content_type_guess(NULL,
+					    (const guchar *)g_bytes_get_data(bytes_raw, NULL),
+					    g_bytes_get_size(bytes_raw),
+					    NULL);
+	if (content_type != NULL && g_strcmp0(content_type, "application/x-xz") != 0) {
+		g_set_error(error,
+			    FWUPD_ERROR,
+			    FWUPD_ERROR_NOT_SUPPORTED,
+			    "only application/x-xz payload supported, got %s",
+			    content_type);
+		return FALSE;
+	}
+
 	/* verify JCatFile, or create a dummy one from legacy data */
 	keyring_kind = fwupd_remote_get_keyring_kind(remote);
 	if (keyring_kind == FWUPD_KEYRING_KIND_JCAT) {