archive/BookStackApp_BookStack
0
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-04-19 19:13:21 +00:00
Code Issues Projects Releases Wiki Activity

Sessions: Prevent image urls being part of session URL history

Browse source 
To prevent them being considered for redirects.
Includes test to cover.
For
This commit is contained in:
Dan Brown 2024-02-22 11:22:08 +00:00
parent 055bbf17de
commit a75d5b8bc1
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
3 changed files with 58 additions and 1 deletions

2
app/Http/Kernel.php
View file

@ -28,7 +28,7 @@ class Kernel extends HttpKernel
\BookStack\Http\Middleware\ApplyCspRules::class, \BookStack\Http\Middleware\ApplyCspRules::class,
\BookStack\Http\Middleware\EncryptCookies::class, \BookStack\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class, \BookStack\Http\Middleware\StartSessionExtended::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class,
\BookStack\Http\Middleware\VerifyCsrfToken::class, \BookStack\Http\Middleware\VerifyCsrfToken::class,
\BookStack\Http\Middleware\CheckEmailConfirmed::class, \BookStack\Http\Middleware\CheckEmailConfirmed::class,

34
app/Http/Middleware/StartSessionExtended.php Normal file
View file

@ -0,0 +1,34 @@
<?php
namespace BookStack\Http\Middleware;
use Illuminate\Http\Request;
use Illuminate\Session\Middleware\StartSession as Middleware;
/**
* An extended version of the default Laravel "StartSession" middleware
* with customizations applied as required:
*
* - Adds filtering for the request URLs stored in session history.
*/
class StartSessionExtended extends Middleware
{
protected static array $pathPrefixesExcludedFromHistory = [
'uploads/images/'
];
/**
* @inheritdoc
*/
protected function storeCurrentUrl(Request $request, $session): void
{
$requestPath = strtolower($request->path());
foreach (static::$pathPrefixesExcludedFromHistory as $excludedPath) {
if (str_starts_with($requestPath, $excludedPath)) {
return;
}
}
parent::storeCurrentUrl($request, $session);
}
}

23
tests/Uploads/ImageTest.php
View file

@ -383,6 +383,29 @@ class ImageTest extends TestCase
} }
} }
public function test_secure_images_not_tracked_in_session_history()
{
config()->set('filesystems.images', 'local_secure');
$this->asEditor();
$page = $this->entities->page();
$result = $this->files->uploadGalleryImageToPage($this, $page);
$expectedPath = storage_path($result['path']);
$this->assertFileExists($expectedPath);
$this->get('/books');
$this->assertEquals(url('/books'), session()->previousUrl());
$resp = $this->get($result['path']);
$resp->assertOk();
$resp->assertHeader('Content-Type', 'image/png');
$this->assertEquals(url('/books'), session()->previousUrl());
if (file_exists($expectedPath)) {
unlink($expectedPath);
}
}
public function test_system_images_remain_public_with_local_secure_restricted() public function test_system_images_remain_public_with_local_secure_restricted()
{ {
config()->set('filesystems.images', 'local_secure_restricted'); config()->set('filesystems.images', 'local_secure_restricted');