Merge pull request #25 from uacode/master

jxlwqq · web-flow · commit d1aab2c40b11 · 2021-10-11T17:59:41.000+08:00
Some security fixes
diff --git a/README.md b/README.md
@@ -34,9 +34,10 @@ Add a disk config in `config/admin.php`:
     'extensions' => [
 
         'media-manager' => [
-        
+
             // Select a local disk that you configured in `config/filesystem.php`
-            'disk' => 'public'
+            'disk' => 'public',
+            'allowed_ext' => 'jpg,jpeg,png,pdf,doc,docx,zip'
         ],
     ],
 
diff --git a/src/MediaController.php b/src/MediaController.php
@@ -33,7 +33,14 @@ public function download(Request $request)
 
         $manager = new MediaManager($file);
 
-        return $manager->download();
+        try {
+            return $manager->download();
+        } catch (\Exception $e) {
+            return response()->json([
+                'status'  => false,
+                'message' => $e->getMessage(),
+            ]);
+        }
     }
 
     public function upload(Request $request)
@@ -69,7 +76,7 @@ public function delete(Request $request)
             }
         } catch (\Exception $e) {
             return response()->json([
-                'status'  => true,
+                'status'  => false,
                 'message' => $e->getMessage(),
             ]);
         }
@@ -91,7 +98,7 @@ public function move(Request $request)
             }
         } catch (\Exception $e) {
             return response()->json([
-                'status'  => true,
+                'status'  => false,
                 'message' => $e->getMessage(),
             ]);
         }
@@ -113,7 +120,7 @@ public function newFolder(Request $request)
             }
         } catch (\Exception $e) {
             return response()->json([
-                'status'  => true,
+                'status'  => false,
                 'message' => $e->getMessage(),
             ]);
         }
diff --git a/src/MediaManager.php b/src/MediaManager.php
@@ -26,6 +26,13 @@ class MediaManager extends Extension
      */
     protected $storage;
 
+    /**
+     * List of allowed extensions.
+     *
+     * @var string
+     */
+    protected $allowed = [];
+
     /**
      * @var array
      */
@@ -50,6 +57,10 @@ public function __construct($path = '/')
     {
         $this->path = $path;
 
+        if (!empty(config('admin.extensions.media-manager.allowed_ext'))) {
+            $this->allowed = explode(',', config('admin.extensions.media-manager.allowed_ext'));
+        }
+
         $this->initStorage();
     }
 
@@ -77,10 +88,10 @@ public function ls()
         $directories = $this->storage->directories($this->path);
 
         return $this->formatDirectories($directories)
-            ->merge($this->formatFiles($files))
-            ->sort(function ($item) {
-                return $item['name'];
-            })->all();
+                ->merge($this->formatFiles($files))
+                ->sort(function ($item) {
+                    return $item['name'];
+                })->all();
     }
 
     /**
@@ -92,7 +103,12 @@ public function ls()
      */
     protected function getFullPath($path)
     {
-        return $this->storage->getDriver()->getAdapter()->applyPathPrefix($path);
+        $path = $this->storage->getDriver()->getAdapter()->applyPathPrefix($path);
+        if (strstr($fullPath, '..')) {
+            throw new \Exception('Incorrect path');
+        }
+
+        return $path;
     }
 
     public function download()
@@ -125,6 +141,11 @@ public function delete($path)
 
     public function move($new)
     {
+        $ext = pathinfo($new, PATHINFO_EXTENSION);
+        if ($this->allowed && !in_array($ext, $this->allowed)) {
+            throw new \Exception('File extension '.$ext.' is not allowed');
+        }
+
         return $this->storage->move($this->path, $new);
     }
 
@@ -137,6 +158,10 @@ public function move($new)
     public function upload($files = [])
     {
         foreach ($files as $file) {
+            if ($this->allowed && !in_array($file->getClientOriginalExtension(), $this->allowed)) {
+                throw new \Exception('File extension '.$file->getClientOriginalExtension().' is not allowed');
+            }
+
             $this->storage->putFileAs($this->path, $file, $file->getClientOriginalName());
         }
 

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,14 @@ public function download(Request $request)`
`33`	`33`
`34`	`34`	`$manager = new MediaManager($file);`
`35`	`35`
`36`		`- return $manager->download();`
	`36`	`+ try {`
	`37`	`+ return $manager->download();`
	`38`	`+ } catch (\Exception $e) {`
	`39`	`+ return response()->json([`
	`40`	`+ 'status' => false,`
	`41`	`+ 'message' => $e->getMessage(),`
	`42`	`+ ]);`
	`43`	`+ }`
`37`	`44`	`}`
`38`	`45`
`39`	`46`	`public function upload(Request $request)`
`@@ -69,7 +76,7 @@ public function delete(Request $request)`
`69`	`76`	`}`
`70`	`77`	`} catch (\Exception $e) {`
`71`	`78`	`return response()->json([`
`72`		`- 'status' => true,`
	`79`	`+ 'status' => false,`
`73`	`80`	`'message' => $e->getMessage(),`
`74`	`81`	`]);`
`75`	`82`	`}`
`@@ -91,7 +98,7 @@ public function move(Request $request)`
`91`	`98`	`}`
`92`	`99`	`} catch (\Exception $e) {`
`93`	`100`	`return response()->json([`
`94`		`- 'status' => true,`
	`101`	`+ 'status' => false,`
`95`	`102`	`'message' => $e->getMessage(),`
`96`	`103`	`]);`
`97`	`104`	`}`
`@@ -113,7 +120,7 @@ public function newFolder(Request $request)`
`113`	`120`	`}`
`114`	`121`	`} catch (\Exception $e) {`
`115`	`122`	`return response()->json([`
`116`		`- 'status' => true,`
	`123`	`+ 'status' => false,`
`117`	`124`	`'message' => $e->getMessage(),`
`118`	`125`	`]);`
`119`	`126`	`}`