Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed XSS vulnerability in SVG image uploads [ch10476] #7639

Merged
merged 4 commits into from
Dec 6, 2019
Merged

Fixed XSS vulnerability in SVG image uploads [ch10476] #7639

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
59738c7
Added enshrined/svg-sanitize
snipe Dec 6, 2019
e8ef0a4
Added modular image resizing/SVG cleaning method
snipe Dec 6, 2019
9444d93
Use improved handleImages method to upload/resize/clean images
snipe Dec 6, 2019
4b99aae
Removed $old_image
snipe Dec 6, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 2 additions & 42 deletions app/Http/Controllers/AccessoriesController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,26 +85,7 @@ public function store(ImageUploadRequest $request)
$accessory->qty = request('qty');
$accessory->user_id = Auth::user()->id;
$accessory->supplier_id = request('supplier_id');

if ($request->hasFile('image')) {

if (!config('app.lock_passwords')) {
$image = $request->file('image');
$ext = $image->getClientOriginalExtension();
$file_name = "accessory-".str_random(18).'.'.$ext;
$path = public_path('/uploads/accessories');
if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(null, 800, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path.'/'.$file_name);
} else {
$image->move($path, $file_name);
}
$accessory->image = $file_name;
}
}

$accessory = $request->handleImages($accessory,600, public_path().'/uploads/accessories');


// Was the accessory created?
Expand Down Expand Up @@ -165,28 +146,7 @@ public function update(ImageUploadRequest $request, $accessoryId = null)
$accessory->qty = request('qty');
$accessory->supplier_id = request('supplier_id');

if ($request->hasFile('image')) {

if (!config('app.lock_passwords')) {
$image = $request->file('image');
$ext = $image->getClientOriginalExtension();
$file_name = "accessory-".str_random(18).'.'.$ext;
$path = public_path('/uploads/accessories');
if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(null, 800, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path.'/'.$file_name);
} else {
$image->move($path, $file_name);
}
if (($accessory->image) && (file_exists($path.'/'.$accessory->image))) {
unlink($path.'/'.$accessory->image);
}

$accessory->image = $file_name;
}
}
$accessory = $request->handleImages($accessory,600, public_path().'/uploads/accessories');


// Was the accessory updated?
Expand Down
50 changes: 2 additions & 48 deletions app/Http/Controllers/AssetModelsController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,23 +90,7 @@ public function store(ImageUploadRequest $request)
$model->fieldset_id = e($request->input('custom_fieldset'));
}

if (Input::file('image')) {

$image = Input::file('image');
$file_name = str_slug($image->getClientOriginalName()) . "." . $image->getClientOriginalExtension();
$path = app('models_upload_path');

if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path.'/'.$file_name);
} else {
$image->move($path, $file_name);
}
$model->image = $file_name;

}
$model = $request->handleImages($model,600, public_path().'/uploads/models');

// Was it created?
if ($model->save()) {
Expand Down Expand Up @@ -182,37 +166,7 @@ public function update(ImageUploadRequest $request, $modelId = null)
}
}

$old_image = $model->image;

// Set the model's image property to null if the image is being deleted
if ($request->input('image_delete') == 1) {
$model->image = null;
}

if ($request->file('image')) {
$image = $request->file('image');
$file_name = $model->id.'-'.str_slug($image->getClientOriginalName()) . "." . $image->getClientOriginalExtension();

if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save(app('models_upload_path').$file_name);
} else {
$image->move(app('models_upload_path'), $file_name);
}
$model->image = $file_name;

}

if ((($request->file('image')) && (isset($old_image)) && ($old_image!='')) || ($request->input('image_delete') == 1)) {
try {
unlink(app('models_upload_path').$old_image);
} catch (\Exception $e) {
\Log::info($e);
}
}

$model = $request->handleImages($model,600, public_path().'/uploads/models');

if ($model->save()) {
return redirect()->route("models.index")->with('success', trans('admin/models/message.update.success'));
Expand Down
39 changes: 2 additions & 37 deletions app/Http/Controllers/CategoriesController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,17 +83,7 @@ public function store(ImageUploadRequest $request)
$category->checkin_email = $request->input('checkin_email', '0');
$category->user_id = Auth::id();

if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/categories/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$category->image = $file_name;
}

$category = $request->handleImages($category,600, public_path().'/uploads/categories');

if ($category->save()) {
return redirect()->route('categories.index')->with('success', trans('admin/categories/message.create.success'));
Expand Down Expand Up @@ -152,37 +142,12 @@ public function update(ImageUploadRequest $request, $categoryId = null)
$category->require_acceptance = $request->input('require_acceptance', '0');
$category->checkin_email = $request->input('checkin_email', '0');

$old_image = $category->image;

// Set the model's image property to null if the image is being deleted
if ($request->input('image_delete') == 1) {
$category->image = null;
}

if ($request->file('image')) {
$image = $request->file('image');
$file_name = $category->id.'-'.str_slug($image->getClientOriginalName()) . "." . $image->getClientOriginalExtension();

if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save(app('categories_upload_path').$file_name);
} else {
$image->move(app('categories_upload_path'), $file_name);
}
$category->image = $file_name;

}

if ((($request->file('image')) && (isset($old_image)) && ($old_image!='')) || ($request->input('image_delete') == 1)) {
try {
unlink(app('categories_upload_path').$old_image);
} catch (\Exception $e) {
\Log::info($e);
}
}

$category = $request->handleImages($category,600, public_path().'/uploads/categories');

if ($category->save()) {
// Redirect to the new category page
Expand Down
37 changes: 2 additions & 35 deletions app/Http/Controllers/CompaniesController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,16 +63,7 @@ public function store(ImageUploadRequest $request)
$company = new Company;
$company->name = $request->input('name');

if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/companies/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$company->image = $file_name;
}
$company = $request->handleImages($company,600, public_path().'/uploads/companies');

if ($company->save()) {
return redirect()->route('companies.index')
Expand Down Expand Up @@ -121,36 +112,12 @@ public function update(ImageUploadRequest $request, $companyId)

$company->name = $request->input('name');

$old_image = $company->image;

// Set the model's image property to null if the image is being deleted
if ($request->input('image_delete') == 1) {
$company->image = null;
}

if ($request->file('image')) {
$image = $request->file('image');
$file_name = $company->id.'-'.str_slug($image->getClientOriginalName()) . "." . $image->getClientOriginalExtension();

if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save(app('companies_upload_path').$file_name);
} else {
$image->move(app('companies_upload_path'), $file_name);
}
$company->image = $file_name;

}

if ((($request->file('image')) && (isset($old_image)) && ($old_image!='')) || ($request->input('image_delete') == 1)) {
try {
unlink(app('companies_upload_path').$old_image);
} catch (\Exception $e) {
\Log::info($e);
}
}
$company = $request->handleImages($company,600, public_path().'/uploads/companies');


if ($company->save()) {
Expand Down
24 changes: 2 additions & 22 deletions app/Http/Controllers/ComponentsController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,16 +91,7 @@ public function store(ImageUploadRequest $request)
$component->user_id = Auth::id();


if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/components/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$component->image = $file_name;
}
$component = $request->handleImages($component,600, public_path().'/uploads/components');

if ($component->save()) {
return redirect()->route('components.index')->with('success', trans('admin/components/message.create.success'));
Expand Down Expand Up @@ -164,18 +155,7 @@ public function update(ImageUploadRequest $request, $componentId = null)
$component->purchase_cost = request('purchase_cost');
$component->qty = Input::get('qty');

if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/components/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$component->image = $file_name;
} elseif ($request->input('image_delete')=='1') {
$component->image = null;
}
$component = $request->handleImages($component,600, public_path().'/uploads/components');

if ($component->save()) {
return redirect()->route('components.index')->with('success', trans('admin/components/message.update.success'));
Expand Down
12 changes: 2 additions & 10 deletions app/Http/Controllers/ConsumablesController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,16 +87,8 @@ public function store(ImageUploadRequest $request)
$consumable->user_id = Auth::id();


if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/consumables/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$consumable->image = $file_name;
}
$consumable = $request->handleImages($consumable,600, public_path().'/uploads/components');


if ($consumable->save()) {
return redirect()->route('consumables.index')->with('success', trans('admin/consumables/message.create.success'));
Expand Down
42 changes: 2 additions & 40 deletions app/Http/Controllers/DepartmentsController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,16 +53,7 @@ public function store(ImageUploadRequest $request)
$department->user_id = Auth::user()->id;
$department->manager_id = ($request->filled('manager_id' ) ? $request->input('manager_id') : null);

if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/departments/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$department->image = $file_name;
}
$department = $request->handleImages($department,600, public_path().'/uploads/departments');

if ($department->save()) {
return redirect()->route("departments.index")->with('success', trans('admin/departments/message.create.success'));
Expand Down Expand Up @@ -164,36 +155,7 @@ public function update(ImageUploadRequest $request, $id) {
$department->fill($request->all());
$department->manager_id = ($request->filled('manager_id' ) ? $request->input('manager_id') : null);

$old_image = $department->image;

// Set the model's image property to null if the image is being deleted
if ($request->input('image_delete') == 1) {
$department->image = null;
}

if ($request->file('image')) {
$image = $request->file('image');
$file_name = $department->id.'-'.str_slug($image->getClientOriginalName()) . "." . $image->getClientOriginalExtension();

if ($image->getClientOriginalExtension()!='svg') {
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save(app('departments_upload_path').$file_name);
} else {
$image->move(app('departments_upload_path'), $file_name);
}
$department->image = $file_name;

}

if ((($request->file('image')) && (isset($old_image)) && ($old_image!='')) || ($request->input('image_delete') == 1)) {
try {
unlink(app('departments_upload_path').$old_image);
} catch (\Exception $e) {
\Log::info($e);
}
}
$department = $request->handleImages($department,600, public_path().'/uploads/departments');

if ($department->save()) {
return redirect()->route("departments.index")->with('success', trans('admin/departments/message.update.success'));
Expand Down
Loading