archive/BookStackApp_BookStack
0
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-05-03 15:59:57 +00:00
Code Issues Projects Releases Wiki Activity

Updated attachments to not be saved with a complete extension

Browse source 
Intended to limit impact in the event the storage path is potentially
exposed.
This commit is contained in:
Dan Brown 2021-11-01 11:32:00 +00:00
parent 4360da03d4
commit bfbccbede1
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
4 changed files with 5 additions and 4 deletions

2
app/Auth/User.php
View file

@ -27,7 +27,7 @@ use Illuminate\Support\Collection;
/** /**
* Class User. * Class User.
* *
* @property string $id * @property int $id
* @property string $name * @property string $name
* @property string $slug * @property string $slug
* @property string $email * @property string $email

2
app/Uploads/AttachmentService.php
View file

@ -216,7 +216,7 @@ class AttachmentService
$storage = $this->getStorageDisk(); $storage = $this->getStorageDisk();
$basePath = 'uploads/files/' . date('Y-m-M') . '/'; $basePath = 'uploads/files/' . date('Y-m-M') . '/';
$uploadFileName = Str::random(16) . '.' . $uploadedFile->getClientOriginalExtension(); $uploadFileName = Str::random(16) . '-' . $uploadedFile->getClientOriginalExtension();
while ($storage->exists($this->adjustPathForStorageDisk($basePath . $uploadFileName))) { while ($storage->exists($this->adjustPathForStorageDisk($basePath . $uploadFileName))) {
$uploadFileName = Str::random(3) . $uploadFileName; $uploadFileName = Str::random(3) . $uploadFileName;
} }

2
app/Uploads/ImageService.php
View file

@ -11,11 +11,11 @@ use Illuminate\Contracts\Filesystem\FileNotFoundException;
use Illuminate\Contracts\Filesystem\Filesystem as FileSystemInstance; use Illuminate\Contracts\Filesystem\Filesystem as FileSystemInstance;
use Illuminate\Contracts\Filesystem\Filesystem as Storage; use Illuminate\Contracts\Filesystem\Filesystem as Storage;
use Illuminate\Support\Facades\DB; use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Intervention\Image\Exception\NotSupportedException; use Intervention\Image\Exception\NotSupportedException;
use Intervention\Image\ImageManager; use Intervention\Image\ImageManager;
use League\Flysystem\Util; use League\Flysystem\Util;
use Log;
use Psr\SimpleCache\InvalidArgumentException; use Psr\SimpleCache\InvalidArgumentException;
use Symfony\Component\HttpFoundation\File\UploadedFile; use Symfony\Component\HttpFoundation\File\UploadedFile;
use Symfony\Component\HttpFoundation\StreamedResponse; use Symfony\Component\HttpFoundation\StreamedResponse;

3
tests/Uploads/AttachmentTest.php
View file

@ -109,7 +109,8 @@ class AttachmentTest extends TestCase
$attachment = Attachment::query()->orderBy('id', 'desc')->first(); $attachment = Attachment::query()->orderBy('id', 'desc')->first();
$this->assertStringNotContainsString($fileName, $attachment->path); $this->assertStringNotContainsString($fileName, $attachment->path);
$this->assertStringEndsWith('.txt', $attachment->path); $this->assertStringEndsWith('-txt', $attachment->path);
$this->deleteUploads();
} }
public function test_file_display_and_access() public function test_file_display_and_access()