Dan Brown
7224fbcc89
Added protections against path traversal in file system operations
...
- Files within the storage/ path could be accessed via path traversal
references in content, accessed upon HTML export.
- This addresses this via two layers:
- Scoped local flysystem filesystems down to the specific image &
file folders since flysystem has built-in checking against the
escaping of the root folder.
- Added path normalization before enforcement of uploads/{images,file}
prefix to prevent traversal at a path level.
Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2021-10-08 17:47:14 +01:00
Dan Brown
05d99a312d
Applied styleci changes
2021-09-26 15:48:22 +01:00
Dan Brown
c32b315cd7
Standardised facade usage to use via their FQCN
...
Done via Laravel Shift Workbench
2021-09-26 15:37:55 +01:00
Dan Brown
934a833818
Apply fixes from StyleCI
2021-06-26 15:23:15 +00:00
Dan Brown
2c3523f6a1
Updated image permission setting logic
...
To ensure thhat the visibility is still set on local storage options
since the previous recent changes could cause problems where in
scenarios where the server user could not read images uploaded by the
php process user.
Closes #2758
2021-05-24 12:09:28 +01:00
Dan Brown
c1f070a136
Handle acl set of images differently for s3 and s3-like
...
Related to #2739
2021-05-15 17:25:51 +01:00
Dan Brown
f8cdd6e80d
Reduced calls for s3-based uploads
...
Combined the public ACL update into the put operation.
2021-04-27 20:36:42 +01:00
Dan Brown
60ffe6a993
Updated packages and added better upload failure logging
...
To fix #2689
Updates all packages but mainly focused on aws-sdk
2021-04-19 20:16:49 +01:00
Dan Brown
215c69acb2
Merge image name cleaning functions
...
Updated testing for changes and to check existing of new expected file
name.
Related to #2611
2021-03-14 23:20:21 +00:00
Timo Förster
745d15d200
Allow uploads of files containing dots in filename. Closes BookStackApp/BookStack#2217
2021-03-04 22:27:20 +01:00
Dan Brown
4e82d93350
Updated wording of image cleanup option
...
As per #2352
2020-12-18 22:59:47 +00:00
Dan Brown
00308ad4ab
Cleaned up some user/image areas of the app
...
Further cleanup of docblocks and standardisation of repos.
2020-12-08 23:46:38 +00:00
Dan Brown
884664bfe9
Ensured base64 images are read from image upload folder
...
Also removed unused storage systems and updated testing.
2020-12-06 15:34:18 +00:00
Dan Brown
8911e3f441
Removed http fetching from image base64 generation
2020-12-06 14:24:22 +00:00
Dan Brown
7d38c96a23
Removed generic "UploadService" which was doing very little
2020-12-06 12:58:40 +00:00
Dan Brown
8213ea9a71
Fixed issue where URL params in image names would cause loading failure
...
Updated file name handling to route through str:slug to be cleaned up
a little.
Added testing to cover.
Fixes #2161
2020-07-25 11:18:40 +01:00
Dan Brown
b6aa232205
Fixed issue where more images than expected could be deleted
...
When deleting images, images within the same directory, that have
a suffix of the delete image name, would also be deleted.
Added test to cover.
2020-07-24 23:41:59 +01:00
Dan Brown
32e7f0a2e6
Made display thumbnail generation use original data if smaller
...
Thumbnail generation would sometimes create a file larger than the
original, if the original was already well optimized, therefore making
the thumbnail counter-productive. This change compares the sizes of the
original and the generated thumbnail, and uses the smaller of the two if
the thumbnail does not change the aspect ratio of the image.
Fixes #1751
2019-12-22 12:44:49 +00:00
Dan Brown
140298bd96
Updated to Laravel 5.8
2019-09-13 23:58:40 +01:00
Dan Brown
4b0c4e621a
Replaced use of custom 'baseUrl' helper with 'url'
...
Also changed up how base URL setting was being done
by manipulating incoming request URLs instead of
altering then on generation.
2019-08-04 14:26:39 +01:00
Dan Brown
1e7df28238
Set export service to set correct svg image mimetype
...
For #1538
2019-07-17 22:37:19 +01:00
Dan Brown
762d1d7595
Allowed different storage types for images and attachments
...
- Added new env and config vars to allow this.
- Also added tests for awkward config logic including fallback for new
env vars.
Closes #1302
2019-06-23 16:01:15 +01:00
Dan Brown
3f83c548f8
Ran phpcbf
2019-05-05 14:54:37 +01:00
Dan Brown
8c190324ac
Updated existing image tests to reflect changes
...
- Also added some new tests
2019-05-04 18:11:19 +01:00
Dan Brown
79f6dc00a3
Change image-selector to not use manager
...
- Now changes the images directly for user, system & cover.
- Extra permission checks added to edit & delete actions.
2019-05-04 15:50:29 +01:00
Dan Brown
68017e2553
Added testing for avatar fetching systems & config
...
Abstracts imageservice http interaction.
Closes #1193
2018-12-23 15:34:38 +00:00
Dan Brown
b56fc21aaf
Abstracted user avatar fetching away from gravatar
...
Still uses gravatar as a default.
Updated URL placeholders to follow LDAP format.
Potential breaking config change: `GRAVATAR=false` replaced by `AVATAR_URL=false`
Builds upon #1111
2018-12-22 19:29:19 +00:00
Vinrobot
5e6c039b08
Added config to change Gravatar URL
2018-11-10 16:11:11 +01:00
Dan Brown
257a5a23ec
Fleshed out entity provided and optimized imports
2018-09-25 16:58:03 +01:00
Dan Brown
919660678b
Re-structured the app code to be feature based rather than code type based
2018-09-25 12:30:50 +01:00