Skip to content

Commit 81ffd69

Browse files
uacodeuacode
committed
Some security fixes
1 parent 08ef816 commit 81ffd69

File tree

3 files changed

+55
-25
lines changed

3 files changed

+55
-25
lines changed

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,10 @@ Add a disk config in `config/admin.php`:
3030
'extensions' => [
3131

3232
'media-manager' => [
33-
33+
3434
           // Select a local disk that you configured in `config/filesystem.php`
35-
        'disk' => 'public'
35+
        'disk' => 'public',
36+
'allowed_ext' => 'jpg,jpeg,png,pdf,doc,docx,zip'
3637
],
3738
],
3839

src/MediaController.php

Lines changed: 24 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
<?php
2-
32
namespace Encore\Admin\Media;
43

54
use Encore\Admin\Facades\Admin;
@@ -12,19 +11,19 @@ class MediaController extends Controller
1211
public function index(Request $request)
1312
{
1413
return Admin::content(function (Content $content) use ($request) {
15-
$content->header('Media manager');
14+
$content->header('Media manager');
1615

17-
$path = $request->get('path', '/');
18-
$view = $request->get('view', 'table');
16+
$path = $request->get('path', '/');
17+
$view = $request->get('view', 'table');
1918

20-
$manager = new MediaManager($path);
19+
$manager = new MediaManager($path);
2120

22-
$content->body(view("laravel-admin-media::$view", [
21+
$content->body(view("laravel-admin-media::$view", [
2322
'list' => $manager->ls(),
2423
'nav' => $manager->navigation(),
2524
'url' => $manager->urls(),
26-
]));
27-
});
25+
]));
26+
});
2827
}
2928

3029
public function download(Request $request)
@@ -33,7 +32,14 @@ public function download(Request $request)
3332

3433
$manager = new MediaManager($file);
3534

36-
return $manager->download();
35+
try {
36+
return $manager->download();
37+
} catch (\Exception $e) {
38+
return response()->json([
39+
'status' => false,
40+
'message' => $e->getMessage(),
41+
]);
42+
}
3743
}
3844

3945
public function upload(Request $request)
@@ -63,14 +69,14 @@ public function delete(Request $request)
6369
try {
6470
if ($manager->delete($files)) {
6571
return response()->json([
66-
'status' => true,
67-
'message' => trans('admin.delete_succeeded'),
72+
'status' => true,
73+
'message' => trans('admin.delete_succeeded'),
6874
]);
6975
}
7076
} catch (\Exception $e) {
7177
return response()->json([
72-
'status' => true,
73-
'message' => $e->getMessage(),
78+
'status' => false,
79+
'message' => $e->getMessage(),
7480
]);
7581
}
7682
}
@@ -85,14 +91,14 @@ public function move(Request $request)
8591
try {
8692
if ($manager->move($new)) {
8793
return response()->json([
88-
'status' => true,
89-
'message' => trans('admin.move_succeeded'),
94+
'status' => true,
95+
'message' => trans('admin.move_succeeded'),
9096
]);
9197
}
9298
} catch (\Exception $e) {
9399
return response()->json([
94-
'status' => true,
95-
'message' => $e->getMessage(),
100+
'status' => false,
101+
'message' => $e->getMessage(),
96102
]);
97103
}
98104
}
@@ -113,7 +119,7 @@ public function newFolder(Request $request)
113119
}
114120
} catch (\Exception $e) {
115121
return response()->json([
116-
'status' => true,
122+
'status' => false,
117123
'message' => $e->getMessage(),
118124
]);
119125
}

src/MediaManager.php

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,12 @@ class MediaManager extends Extension
2626
*/
2727
protected $storage;
2828

29+
/**
30+
* List of allowed extensions.
31+
* @var string
32+
*/
33+
protected $allowed = [];
34+
2935
/**
3036
* @var array
3137
*/
@@ -50,6 +56,10 @@ public function __construct($path = '/')
5056
{
5157
$this->path = $path;
5258

59+
if (!empty(config('admin.extensions.media-manager.allowed_ext'))) {
60+
$this->allowed = explode(',', config('admin.extensions.media-manager.allowed_ext'));
61+
}
62+
5363
$this->initStorage();
5464
}
5565

@@ -77,10 +87,10 @@ public function ls()
7787
$directories = $this->storage->directories($this->path);
7888

7989
return $this->formatDirectories($directories)
80-
->merge($this->formatFiles($files))
81-
->sort(function ($item) {
82-
return $item['name'];
83-
})->all();
90+
->merge($this->formatFiles($files))
91+
->sort(function ($item) {
92+
return $item['name'];
93+
})->all();
8494
}
8595

8696
/**
@@ -92,7 +102,11 @@ public function ls()
92102
*/
93103
protected function getFullPath($path)
94104
{
95-
return $this->storage->getDriver()->getAdapter()->applyPathPrefix($path);
105+
$path = $this->storage->getDriver()->getAdapter()->applyPathPrefix($path);
106+
if (strstr($fullPath, '..')) {
107+
throw new \Exception('Incorrect path');
108+
}
109+
return $path;
96110
}
97111

98112
public function download()
@@ -125,6 +139,11 @@ public function delete($path)
125139

126140
public function move($new)
127141
{
142+
$ext = pathinfo($new, PATHINFO_EXTENSION);
143+
if ($this->allowed && !in_array($ext, $this->allowed)) {
144+
throw new \Exception('File extension ' . $ext . ' is not allowed');
145+
}
146+
128147
return $this->storage->move($this->path, $new);
129148
}
130149

@@ -137,6 +156,10 @@ public function move($new)
137156
public function upload($files = [])
138157
{
139158
foreach ($files as $file) {
159+
if ($this->allowed && !in_array($file->getClientOriginalExtension(), $this->allowed)) {
160+
throw new \Exception('File extension ' . $file->getClientOriginalExtension() . ' is not allowed');
161+
}
162+
140163
$this->storage->putFileAs($this->path, $file, $file->getClientOriginalName());
141164
}
142165

0 commit comments

Comments
 (0)