webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-30 04:23:11 +03:00
Code Activity

Updated showImage file serving to not be traversable

Browse Source 
For #3030
This commit is contained in:
Dan Brown
2021-10-31 23:53:17 +00:00
parent ae155d6745
commit 43830a372f
4 changed files with 84 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
tests/Uploads/ImageTest.php
View File

@ -241,6 +241,36 @@ class ImageTest extends TestCase
}
}
public function test_secure_image_paths_traversal_causes_500()
{
config()->set('filesystems.images', 'local_secure');
$this->asEditor();
$resp = $this->get('/uploads/images/../../logs/laravel.log');
$resp->assertStatus(500);
}
public function test_secure_image_paths_traversal_on_non_secure_images_causes_404()
{
config()->set('filesystems.images', 'local');
$this->asEditor();
$resp = $this->get('/uploads/images/../../logs/laravel.log');
$resp->assertStatus(404);
}
public function test_secure_image_paths_dont_serve_non_images()
{
config()->set('filesystems.images', 'local_secure');
$this->asEditor();
$testFilePath = storage_path('/uploads/images/testing.txt');
file_put_contents($testFilePath, 'hello from test_secure_image_paths_dont_serve_non_images');
$resp = $this->get('/uploads/images/testing.txt');
$resp->assertStatus(404);
}
public function test_secure_images_included_in_exports()
{
config()->set('filesystems.images', 'local_secure');