Skip to content

Commit

Permalink
Merge pull request #25 from uacode/master
Browse files Browse the repository at this point in the history
Some security fixes
  • Loading branch information
jxlwqq authored Oct 11, 2021
2 parents 6672682 + e014ef0 commit d1aab2c
Showing 3 changed files with 44 additions and 11 deletions.
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -34,9 +34,10 @@ Add a disk config in `config/admin.php`:
'extensions' => [

'media-manager' => [

           // Select a local disk that you configured in `config/filesystem.php`
        'disk' => 'public'
        'disk' => 'public',
'allowed_ext' => 'jpg,jpeg,png,pdf,doc,docx,zip'
],
],

15 changes: 11 additions & 4 deletions src/MediaController.php
Original file line number Diff line number Diff line change
@@ -33,7 +33,14 @@ public function download(Request $request)

$manager = new MediaManager($file);

return $manager->download();
try {
return $manager->download();
} catch (\Exception $e) {
return response()->json([
'status' => false,
'message' => $e->getMessage(),
]);
}
}

public function upload(Request $request)
@@ -69,7 +76,7 @@ public function delete(Request $request)
}
} catch (\Exception $e) {
return response()->json([
'status' => true,
'status' => false,
'message' => $e->getMessage(),
]);
}
@@ -91,7 +98,7 @@ public function move(Request $request)
}
} catch (\Exception $e) {
return response()->json([
'status' => true,
'status' => false,
'message' => $e->getMessage(),
]);
}
@@ -113,7 +120,7 @@ public function newFolder(Request $request)
}
} catch (\Exception $e) {
return response()->json([
'status' => true,
'status' => false,
'message' => $e->getMessage(),
]);
}
35 changes: 30 additions & 5 deletions src/MediaManager.php
Original file line number Diff line number Diff line change
@@ -26,6 +26,13 @@ class MediaManager extends Extension
*/
protected $storage;

/**
* List of allowed extensions.
*
* @var string
*/
protected $allowed = [];

/**
* @var array
*/
@@ -50,6 +57,10 @@ public function __construct($path = '/')
{
$this->path = $path;

if (!empty(config('admin.extensions.media-manager.allowed_ext'))) {
$this->allowed = explode(',', config('admin.extensions.media-manager.allowed_ext'));
}

$this->initStorage();
}

@@ -77,10 +88,10 @@ public function ls()
$directories = $this->storage->directories($this->path);

return $this->formatDirectories($directories)
->merge($this->formatFiles($files))
->sort(function ($item) {
return $item['name'];
})->all();
->merge($this->formatFiles($files))
->sort(function ($item) {
return $item['name'];
})->all();
}

/**
@@ -92,7 +103,12 @@ public function ls()
*/
protected function getFullPath($path)
{
return $this->storage->getDriver()->getAdapter()->applyPathPrefix($path);
$path = $this->storage->getDriver()->getAdapter()->applyPathPrefix($path);
if (strstr($fullPath, '..')) {
throw new \Exception('Incorrect path');
}

return $path;
}

public function download()
@@ -125,6 +141,11 @@ public function delete($path)

public function move($new)
{
$ext = pathinfo($new, PATHINFO_EXTENSION);
if ($this->allowed && !in_array($ext, $this->allowed)) {
throw new \Exception('File extension '.$ext.' is not allowed');
}

return $this->storage->move($this->path, $new);
}

@@ -137,6 +158,10 @@ public function move($new)
public function upload($files = [])
{
foreach ($files as $file) {
if ($this->allowed && !in_array($file->getClientOriginalExtension(), $this->allowed)) {
throw new \Exception('File extension '.$file->getClientOriginalExtension().' is not allowed');
}

$this->storage->putFileAs($this->path, $file, $file->getClientOriginalName());
}

0 comments on commit d1aab2c

Please sign in to comment.