mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-12-01 21:35:16 +08:00
349162ea13
This filters out potentially malicious javascript: or data: uri's coming through to be attached to attachments. Added tests to cover. Thanks to Yassine ABOUKIR (@yassineaboukir on twitter) for reporting this vulnerability.
93 lines
3.1 KiB
PHP
93 lines
3.1 KiB
PHP
<?php namespace BookStack\Providers;
|
|
|
|
use Blade;
|
|
use BookStack\Entities\Book;
|
|
use BookStack\Entities\Bookshelf;
|
|
use BookStack\Entities\BreadcrumbsViewComposer;
|
|
use BookStack\Entities\Chapter;
|
|
use BookStack\Entities\Page;
|
|
use BookStack\Settings\Setting;
|
|
use BookStack\Settings\SettingService;
|
|
use Illuminate\Database\Eloquent\Relations\Relation;
|
|
use Illuminate\Support\Facades\View;
|
|
use Illuminate\Support\ServiceProvider;
|
|
use Schema;
|
|
use URL;
|
|
use Validator;
|
|
|
|
class AppServiceProvider extends ServiceProvider
|
|
{
|
|
/**
|
|
* Bootstrap any application services.
|
|
*
|
|
* @return void
|
|
*/
|
|
public function boot()
|
|
{
|
|
// Set root URL
|
|
$appUrl = config('app.url');
|
|
if ($appUrl) {
|
|
$isHttps = (strpos($appUrl, 'https://') === 0);
|
|
URL::forceRootUrl($appUrl);
|
|
URL::forceScheme($isHttps ? 'https' : 'http');
|
|
}
|
|
|
|
// Custom validation methods
|
|
Validator::extend('image_extension', function ($attribute, $value, $parameters, $validator) {
|
|
$validImageExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
|
|
return in_array(strtolower($value->getClientOriginalExtension()), $validImageExtensions);
|
|
});
|
|
|
|
Validator::extend('no_double_extension', function ($attribute, $value, $parameters, $validator) {
|
|
$uploadName = $value->getClientOriginalName();
|
|
return substr_count($uploadName, '.') < 2;
|
|
});
|
|
|
|
Validator::extend('safe_url', function ($attribute, $value, $parameters, $validator) {
|
|
$cleanLinkName = strtolower(trim($value));
|
|
$isJs = strpos($cleanLinkName, 'javascript:') === 0;
|
|
$isData = strpos($cleanLinkName, 'data:') === 0;
|
|
return !$isJs && !$isData;
|
|
});
|
|
|
|
// Custom blade view directives
|
|
Blade::directive('icon', function ($expression) {
|
|
return "<?php echo icon($expression); ?>";
|
|
});
|
|
|
|
Blade::directive('exposeTranslations', function ($expression) {
|
|
return "<?php \$__env->startPush('translations'); ?>" .
|
|
"<?php foreach({$expression} as \$key): ?>" .
|
|
'<meta name="translation" key="<?php echo e($key); ?>" value="<?php echo e(trans($key)); ?>">' . "\n" .
|
|
"<?php endforeach; ?>" .
|
|
'<?php $__env->stopPush(); ?>';
|
|
});
|
|
|
|
// Allow longer string lengths after upgrade to utf8mb4
|
|
Schema::defaultStringLength(191);
|
|
|
|
// Set morph-map due to namespace changes
|
|
Relation::morphMap([
|
|
'BookStack\\Bookshelf' => Bookshelf::class,
|
|
'BookStack\\Book' => Book::class,
|
|
'BookStack\\Chapter' => Chapter::class,
|
|
'BookStack\\Page' => Page::class,
|
|
]);
|
|
|
|
// View Composers
|
|
View::composer('partials.breadcrumbs', BreadcrumbsViewComposer::class);
|
|
}
|
|
|
|
/**
|
|
* Register any application services.
|
|
*
|
|
* @return void
|
|
*/
|
|
public function register()
|
|
{
|
|
$this->app->singleton(SettingService::class, function ($app) {
|
|
return new SettingService($app->make(Setting::class), $app->make('Illuminate\Contracts\Cache\Repository'));
|
|
});
|
|
}
|
|
}
|