From 4595d19b8db1ed258bbfa24ac2af8768c105354d Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Fri, 27 Apr 2018 17:28:52 +0200
Subject: Added many security/verifying things for image upload
---
main/app/sprinkles/admin/routes/posts.php | 4 +-
.../admin/src/Controller/PostController.php | 62 ++++++++--------------
.../core/src/ServicesProvider/ServicesProvider.php | 3 --
.../sprinkles/core/templates/pages/test.html.twig | 19 ++-----
4 files changed, 30 insertions(+), 58 deletions(-)
(limited to 'main')
diff --git a/main/app/sprinkles/admin/routes/posts.php b/main/app/sprinkles/admin/routes/posts.php
index ebc2cda..918af24 100644
--- a/main/app/sprinkles/admin/routes/posts.php
+++ b/main/app/sprinkles/admin/routes/posts.php
@@ -10,6 +10,8 @@
* Routes for posting.
*/
+$app->get('/image/{PostID}', 'UserFrosting\Sprinkle\Admin\Controller\PostController:postImage')->add('authGuard');
+
$app->group('/api/posts', function () {
$this->post('/image', 'UserFrosting\Sprinkle\Admin\Controller\PostController:postImage');
-})->add('authGuard');
+})->add('authGuard');
\ No newline at end of file
diff --git a/main/app/sprinkles/admin/src/Controller/PostController.php b/main/app/sprinkles/admin/src/Controller/PostController.php
index a3015f7..9f63b50 100644
--- a/main/app/sprinkles/admin/src/Controller/PostController.php
+++ b/main/app/sprinkles/admin/src/Controller/PostController.php
@@ -8,6 +8,7 @@
namespace UserFrosting\Sprinkle\Admin\Controller;
+use function GuzzleHttp\Psr7\str;
use UserFrosting\Fortress\RequestDataTransformer;
use UserFrosting\Fortress\RequestSchema;
use UserFrosting\Fortress\ServerSideValidator;
@@ -25,15 +26,24 @@ use Slim\Http\UploadedFile;
*/
class PostController extends SimpleController
{
- public function postImage($request, $response, $args) {
+ public function showImage($request, $response, $args) {
+
+ $authorizer = $this->ci->authorizer;
+ $currentUser = $this->ci->currentUser;
+ if (!$authorizer->checkAccess($currentUser, 'view_image')) {
+ throw new ForbiddenException();
+ }
+
+ $postID = $args['PostID'];
+ }
+
+ public function postImage(Request $request, Response $response) {
function moveUploadedFile($directory, UploadedFile $uploadedFile) {
$extension = pathinfo($uploadedFile->getClientFilename(), PATHINFO_EXTENSION);
$basename = bin2hex(random_bytes(8)); // see http://php.net/manual/en/function.random-bytes.php
$filename = sprintf('%s.%0.8s', $basename, $extension);
-
$uploadedFile->moveTo($directory . DIRECTORY_SEPARATOR . $filename);
-
return $filename;
}
@@ -43,46 +53,20 @@ class PostController extends SimpleController
throw new ForbiddenException();
}
- $directory = $_SERVER['DOCUMENT_ROOT'] . '/beam/social/main/uploads/';
+ $directory = __DIR__ . '/../../../../../uploads'; // It's ugly but it is flexible..
$uploadedFiles = $request->getUploadedFiles();
- $uploadedFile = $uploadedFiles['example1'];
- if ($uploadedFile->getError() === UPLOAD_ERR_OK) {
+ $uploadedFile = $uploadedFiles['image'];
+
+ if (!strpos($uploadedFile->getClientMediaType(), "mage")) {
+ return $response->withStatus(415);
+ } else if ($uploadedFile->getError() === 1) {
+ return $response->withStatus(406);
+ } else if ($uploadedFile->getSize() > 10485760) {
+ return $response->withStatus(413);
+ } else {
$filename = moveUploadedFile($directory, $uploadedFile);
$response->write('uploaded ' . $filename . '
');
}
-
- foreach ($uploadedFiles['example2'] as $uploadedFile) {
- if ($uploadedFile->getError() === UPLOAD_ERR_OK) {
- $filename = moveUploadedFile($directory, $uploadedFile);
- $response->write('uploaded ' . $filename . '
');
- }
- }
-
- foreach ($uploadedFiles['example3'] as $uploadedFile) {
- if ($uploadedFile->getError() === UPLOAD_ERR_OK) {
- $filename = moveUploadedFile($directory, $uploadedFile);
- $response->write('uploaded ' . $filename . '
');
- }
- }
- }
-
- /**
- * Moves the uploaded file to the upload directory and assigns it a unique name
- * to avoid overwriting an existing uploaded file.
- *
- * @param string $directory directory to which the file is moved
- * @param UploadedFile $uploaded file uploaded file to move
- * @return string filename of moved file
- */
- function moveUploadedFile($directory, UploadedFile $uploadedFile)
- {
- $extension = pathinfo($uploadedFile->getClientFilename(), PATHINFO_EXTENSION);
- $basename = bin2hex(random_bytes(8)); // see http://php.net/manual/en/function.random-bytes.php
- $filename = sprintf('%s.%0.8s', $basename, $extension);
-
- $uploadedFile->moveTo($directory . DIRECTORY_SEPARATOR . $filename);
-
- return $filename;
}
protected function getUserFromParams($params) {
diff --git a/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php b/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php
index 3f562a9..c67b886 100644
--- a/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php
+++ b/main/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php
@@ -235,9 +235,6 @@ class ServicesProvider
// Hacky fix to prevent sessions from being hit too much: ignore CSRF middleware for requests for raw assets ;-)
// See https://github.com/laravel/framework/issues/8172#issuecomment-99112012 for more information on why it's bad to hit Laravel sessions multiple times in rapid succession.
$csrfBlacklist = $config['csrf.blacklist'];
- $csrfBlacklist['^/api/posts/image'] = [
- 'POST'
- ];
$csrfBlacklist['^/' . $config['assets.raw.path']] = [
'GET'
];
diff --git a/main/app/sprinkles/core/templates/pages/test.html.twig b/main/app/sprinkles/core/templates/pages/test.html.twig
index 8df9b89..796ee72 100644
--- a/main/app/sprinkles/core/templates/pages/test.html.twig
+++ b/main/app/sprinkles/core/templates/pages/test.html.twig
@@ -1,19 +1,8 @@
-
\ No newline at end of file
--
cgit v1.2.3