restriction config updated

Author: i-rocky

index.php

@@ -15,7 +15,9 @@
         'root'    => __DIR__.'/tmp/storage/',
         'cache'   => __DIR__.'/tmp/.cache/',
         'uploads' => [
-            'allowed_types' => [
+            'max_upload_size' => 0,
+            'mime_check'      => true,
+            'allowed_types'   => [
                 'image/jpeg', 'image/png', 'image/gif', 'image/bmp', 'image/svg\+xml', 'image/svg'
             ]
         ]

src/Plugins/Core.php

@@ -286,21 +286,33 @@ private function recursive_delete($target)
     public function upload()
     {
         /** @var UploadedFile $file */
-        $file     = request()->files->get('file');
+        $file = request()->files->get('file');
+
+        // ensure if the file is allowed to be uploaded
+        ensureSafeFile($file->getRealPath());
+
+        $max_upload_size = config('uploads.max_upload_size');
+
+        if ($max_upload_size) {
+            if ($max_upload_size * 1024 < $file->getSize()) {
+                abort(406, ['message' => 'File size must be less than '.$max_upload_size.'MB']);
+            }
+        }
+
         $filename = absolutePath(request_path(), $file->getClientOriginalName());
         if ($filename) {
             $option = request('option');
             if ($option === 'replace') {
                 // replace the existing file
-                filesystem()->remove($filename);
                 deleteThumb($filename);
+                filesystem()->remove($filename);
                 $file->move(request_path(), $file->getClientOriginalName());
             } elseif ($option === 'keep-both') {
                 // keep both files
                 // save the new file under new name
                 $_filename = pathinfo($filename, PATHINFO_FILENAME);
-                $_ext = pathinfo($filename, PATHINFO_EXTENSION);
-                $name = getSafePath($_filename, $_ext);
+                $_ext      = pathinfo($filename, PATHINFO_EXTENSION);
+                $name      = getSafePath($_filename, $_ext);
                 $file->move(request_path(), pathinfo($name, PATHINFO_BASENAME));
             } else {
                 // send the message to confirm an option
@@ -315,8 +327,6 @@ public function upload()
         $filepath = absolutePath(request_path(), $file->getClientOriginalName());
 
         if (filesystem()->exists($filepath)) {
-            ensureSafeFile($filepath);
-
             return jsonResponse(['message' => 'File upload successful']);
         }
 

src/config.php

@@ -3,7 +3,11 @@
 return [
     'root'    => null,
     'cache'   => null,
-    'uploads' => [],
+    'uploads' => [
+        'max_upload_size' => 0,
+        'mime_check' => false,
+        'allowed_types' => [],
+    ],
     'plugins' => [
         'Core' => \Rocky\FileManager\Plugins\Core::class,
     ]

src/helpers.php

@@ -329,8 +329,8 @@ function getFileInfo(\Symfony\Component\Finder\SplFileInfo $file)
     if ($file->isFile()) {
         $mime = mimeTypes()->guessMimeType($file->getRealPath());
         if (preg_match('#^image/#', $mime)) {
-            $dimension          = getimagesize($file->getRealPath());
-            if($info) {
+            $dimension = getimagesize($file->getRealPath());
+            if ($info) {
                 $info['image_info'] = [
                     'width'    => $dimension['0'],
                     'height'   => $dimension['1'],
@@ -375,19 +375,21 @@ function getSafePath($name, $ext = '')
  */
 function ensureSafeFile($filepath)
 {
-    $mime  = mimeTypes()->guessMimeType($filepath);
-    $valid = false;
-    foreach (config('uploads.allowed_types') as $allowed_type) {
-        if (preg_match("#^{$allowed_type}$#", $mime)) {
-            $valid = true;
-            break;
+    $mime = mimeTypes()->guessMimeType($filepath);
+    if (config('uploads.mime_check')) {
+        $valid = false;
+        foreach (config('uploads.allowed_types') as $allowed_type) {
+            if (preg_match("#^{$allowed_type}$#", $mime)) {
+                $valid = true;
+                break;
+            }
         }
-    }
 
-    if ( ! $valid) {
-        filesystem()->remove($filepath);
+        if ( ! $valid) {
+            filesystem()->remove($filepath);
 
-        abort(403, ['message' => 'File type not allowed']);
+            abort(403, ['message' => 'File type not allowed']);
+        }
     }
 
     return $mime;