From 81ffd69701058035aeadefdefbb01e83f3fe2ae3 Mon Sep 17 00:00:00 2001 From: dobs Date: Fri, 8 May 2020 10:37:17 +0300 Subject: [PATCH 1/2] Some security fixes --- README.md | 5 +++-- src/MediaController.php | 42 +++++++++++++++++++++++------------------ src/MediaManager.php | 33 +++++++++++++++++++++++++++----- 3 files changed, 55 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 49cd7cb..bdbca04 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,10 @@ Add a disk config in `config/admin.php`: 'extensions' => [ 'media-manager' => [ - +            // Select a local disk that you configured in `config/filesystem.php` -         'disk' => 'public' +         'disk' => 'public', + 'allowed_ext' => 'jpg,jpeg,png,pdf,doc,docx,zip' ], ], diff --git a/src/MediaController.php b/src/MediaController.php index 47df705..bccbe3a 100644 --- a/src/MediaController.php +++ b/src/MediaController.php @@ -1,5 +1,4 @@ header('Media manager'); + $content->header('Media manager'); - $path = $request->get('path', '/'); - $view = $request->get('view', 'table'); + $path = $request->get('path', '/'); + $view = $request->get('view', 'table'); - $manager = new MediaManager($path); + $manager = new MediaManager($path); - $content->body(view("laravel-admin-media::$view", [ + $content->body(view("laravel-admin-media::$view", [ 'list' => $manager->ls(), 'nav' => $manager->navigation(), 'url' => $manager->urls(), - ])); - }); + ])); + }); } public function download(Request $request) @@ -33,7 +32,14 @@ public function download(Request $request) $manager = new MediaManager($file); - return $manager->download(); + try { + return $manager->download(); + } catch (\Exception $e) { + return response()->json([ + 'status' => false, + 'message' => $e->getMessage(), + ]); + } } public function upload(Request $request) @@ -63,14 +69,14 @@ public function delete(Request $request) try { if ($manager->delete($files)) { return response()->json([ - 'status' => true, - 'message' => trans('admin.delete_succeeded'), + 'status' => true, + 'message' => trans('admin.delete_succeeded'), ]); } } catch (\Exception $e) { return response()->json([ - 'status' => true, - 'message' => $e->getMessage(), + 'status' => false, + 'message' => $e->getMessage(), ]); } } @@ -85,14 +91,14 @@ public function move(Request $request) try { if ($manager->move($new)) { return response()->json([ - 'status' => true, - 'message' => trans('admin.move_succeeded'), + 'status' => true, + 'message' => trans('admin.move_succeeded'), ]); } } catch (\Exception $e) { return response()->json([ - 'status' => true, - 'message' => $e->getMessage(), + 'status' => false, + 'message' => $e->getMessage(), ]); } } @@ -113,7 +119,7 @@ public function newFolder(Request $request) } } catch (\Exception $e) { return response()->json([ - 'status' => true, + 'status' => false, 'message' => $e->getMessage(), ]); } diff --git a/src/MediaManager.php b/src/MediaManager.php index 68710ff..1858965 100644 --- a/src/MediaManager.php +++ b/src/MediaManager.php @@ -26,6 +26,12 @@ class MediaManager extends Extension */ protected $storage; + /** + * List of allowed extensions. + * @var string + */ + protected $allowed = []; + /** * @var array */ @@ -50,6 +56,10 @@ public function __construct($path = '/') { $this->path = $path; + if (!empty(config('admin.extensions.media-manager.allowed_ext'))) { + $this->allowed = explode(',', config('admin.extensions.media-manager.allowed_ext')); + } + $this->initStorage(); } @@ -77,10 +87,10 @@ public function ls() $directories = $this->storage->directories($this->path); return $this->formatDirectories($directories) - ->merge($this->formatFiles($files)) - ->sort(function ($item) { - return $item['name']; - })->all(); + ->merge($this->formatFiles($files)) + ->sort(function ($item) { + return $item['name']; + })->all(); } /** @@ -92,7 +102,11 @@ public function ls() */ protected function getFullPath($path) { - return $this->storage->getDriver()->getAdapter()->applyPathPrefix($path); + $path = $this->storage->getDriver()->getAdapter()->applyPathPrefix($path); + if (strstr($fullPath, '..')) { + throw new \Exception('Incorrect path'); + } + return $path; } public function download() @@ -125,6 +139,11 @@ public function delete($path) public function move($new) { + $ext = pathinfo($new, PATHINFO_EXTENSION); + if ($this->allowed && !in_array($ext, $this->allowed)) { + throw new \Exception('File extension ' . $ext . ' is not allowed'); + } + return $this->storage->move($this->path, $new); } @@ -137,6 +156,10 @@ public function move($new) public function upload($files = []) { foreach ($files as $file) { + if ($this->allowed && !in_array($file->getClientOriginalExtension(), $this->allowed)) { + throw new \Exception('File extension ' . $file->getClientOriginalExtension() . ' is not allowed'); + } + $this->storage->putFileAs($this->path, $file, $file->getClientOriginalName()); } From e014ef07c89c0bd9dc6513bd4cd714ff3fb0f6a6 Mon Sep 17 00:00:00 2001 From: dobs Date: Fri, 8 May 2020 11:00:13 +0300 Subject: [PATCH 2/2] CI fix --- src/MediaController.php | 33 +++++++++++++++++---------------- src/MediaManager.php | 6 ++++-- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/src/MediaController.php b/src/MediaController.php index bccbe3a..f6b96a3 100644 --- a/src/MediaController.php +++ b/src/MediaController.php @@ -1,4 +1,5 @@ header('Media manager'); + $content->header('Media manager'); - $path = $request->get('path', '/'); - $view = $request->get('view', 'table'); + $path = $request->get('path', '/'); + $view = $request->get('view', 'table'); - $manager = new MediaManager($path); + $manager = new MediaManager($path); - $content->body(view("laravel-admin-media::$view", [ + $content->body(view("laravel-admin-media::$view", [ 'list' => $manager->ls(), 'nav' => $manager->navigation(), 'url' => $manager->urls(), - ])); - }); + ])); + }); } public function download(Request $request) @@ -36,7 +37,7 @@ public function download(Request $request) return $manager->download(); } catch (\Exception $e) { return response()->json([ - 'status' => false, + 'status' => false, 'message' => $e->getMessage(), ]); } @@ -69,14 +70,14 @@ public function delete(Request $request) try { if ($manager->delete($files)) { return response()->json([ - 'status' => true, - 'message' => trans('admin.delete_succeeded'), + 'status' => true, + 'message' => trans('admin.delete_succeeded'), ]); } } catch (\Exception $e) { return response()->json([ - 'status' => false, - 'message' => $e->getMessage(), + 'status' => false, + 'message' => $e->getMessage(), ]); } } @@ -91,14 +92,14 @@ public function move(Request $request) try { if ($manager->move($new)) { return response()->json([ - 'status' => true, - 'message' => trans('admin.move_succeeded'), + 'status' => true, + 'message' => trans('admin.move_succeeded'), ]); } } catch (\Exception $e) { return response()->json([ - 'status' => false, - 'message' => $e->getMessage(), + 'status' => false, + 'message' => $e->getMessage(), ]); } } diff --git a/src/MediaManager.php b/src/MediaManager.php index 1858965..a8357da 100644 --- a/src/MediaManager.php +++ b/src/MediaManager.php @@ -28,6 +28,7 @@ class MediaManager extends Extension /** * List of allowed extensions. + * * @var string */ protected $allowed = []; @@ -106,6 +107,7 @@ protected function getFullPath($path) if (strstr($fullPath, '..')) { throw new \Exception('Incorrect path'); } + return $path; } @@ -141,7 +143,7 @@ public function move($new) { $ext = pathinfo($new, PATHINFO_EXTENSION); if ($this->allowed && !in_array($ext, $this->allowed)) { - throw new \Exception('File extension ' . $ext . ' is not allowed'); + throw new \Exception('File extension '.$ext.' is not allowed'); } return $this->storage->move($this->path, $new); @@ -157,7 +159,7 @@ public function upload($files = []) { foreach ($files as $file) { if ($this->allowed && !in_array($file->getClientOriginalExtension(), $this->allowed)) { - throw new \Exception('File extension ' . $file->getClientOriginalExtension() . ' is not allowed'); + throw new \Exception('File extension '.$file->getClientOriginalExtension().' is not allowed'); } $this->storage->putFileAs($this->path, $file, $file->getClientOriginalName());