Merge pull request #61 from Laravel-Backpack/prevent-mimetypes-tampering

Prevent mimetypes tampering

Author: pxpm

config/elfinder.php

@@ -39,7 +39,7 @@
     */
 
     'route' => [
-        'prefix'     => config('backpack.base.route_prefix', 'admin').'/elfinder',
+        'prefix' => config('backpack.base.route_prefix', 'admin').'/elfinder',
         'middleware' => ['web', config('backpack.base.middleware_key', 'admin')], //Set to null to disable middleware filter
     ],
 

src/BackpackElfinderController.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace Backpack\FileManager;
+
+use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\Log;
+
+class BackpackElfinderController extends \Barryvdh\Elfinder\ElfinderController
+{
+    public function showPopup($input_id)
+    {
+        $mimes = request('mimes');
+
+        if (! isset($mimes)) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
+        try {
+            $mimes = Crypt::decrypt(urldecode(request('mimes')));
+        } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
+        request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        if (! empty($mimes)) {
+            request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        } else {
+            request()->merge(['mimes' => '']);
+        }
+
+        return $this->app['view']
+            ->make($this->package.'::standalonepopup')
+            ->with($this->getViewVars())
+            ->with(compact('input_id'));
+    }
+}

src/FileManagerServiceProvider.php

@@ -2,6 +2,7 @@
 
 namespace Backpack\FileManager;
 
+use Barryvdh\Elfinder\ElfinderController;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\ServiceProvider;
 
@@ -27,6 +28,11 @@ public function boot()
         }
     }
 
+    public function register()
+    {
+        $this->app->bind(ElfinderController::class, BackpackElfinderController::class);
+    }
+
     /**
      * Console-specific booting.
      *
@@ -40,11 +46,11 @@ protected function bootForConsole()
         ], 'views');
 
         $this->publishes([
-            __DIR__.'/../config/elfinder.php'      => config_path('elfinder.php'),
+            __DIR__.'/../config/elfinder.php' => config_path('elfinder.php'),
         ], 'config');
 
         $this->publishes([
-            __DIR__.'/../public/packages/backpack/filemanager/themes/Backpack'      => public_path('packages/backpack/filemanager/themes/Backpack'),
+            __DIR__.'/../public/packages/backpack/filemanager/themes/Backpack' => public_path('packages/backpack/filemanager/themes/Backpack'),
         ], 'public');
 
         // Registering package commands.