mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-11-23 03:12:32 +01:00
Sessions: Prevent image urls being part of session URL history
To prevent them being considered for redirects. Includes test to cover. For #4863
This commit is contained in:
parent
055bbf17de
commit
a75d5b8bc1
@ -28,7 +28,7 @@ class Kernel extends HttpKernel
|
||||
\BookStack\Http\Middleware\ApplyCspRules::class,
|
||||
\BookStack\Http\Middleware\EncryptCookies::class,
|
||||
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
|
||||
\Illuminate\Session\Middleware\StartSession::class,
|
||||
\BookStack\Http\Middleware\StartSessionExtended::class,
|
||||
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
||||
\BookStack\Http\Middleware\VerifyCsrfToken::class,
|
||||
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
||||
|
34
app/Http/Middleware/StartSessionExtended.php
Normal file
34
app/Http/Middleware/StartSessionExtended.php
Normal file
@ -0,0 +1,34 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Http\Middleware;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Session\Middleware\StartSession as Middleware;
|
||||
|
||||
/**
|
||||
* An extended version of the default Laravel "StartSession" middleware
|
||||
* with customizations applied as required:
|
||||
*
|
||||
* - Adds filtering for the request URLs stored in session history.
|
||||
*/
|
||||
class StartSessionExtended extends Middleware
|
||||
{
|
||||
protected static array $pathPrefixesExcludedFromHistory = [
|
||||
'uploads/images/'
|
||||
];
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
protected function storeCurrentUrl(Request $request, $session): void
|
||||
{
|
||||
$requestPath = strtolower($request->path());
|
||||
foreach (static::$pathPrefixesExcludedFromHistory as $excludedPath) {
|
||||
if (str_starts_with($requestPath, $excludedPath)) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
parent::storeCurrentUrl($request, $session);
|
||||
}
|
||||
}
|
@ -383,6 +383,29 @@ class ImageTest extends TestCase
|
||||
}
|
||||
}
|
||||
|
||||
public function test_secure_images_not_tracked_in_session_history()
|
||||
{
|
||||
config()->set('filesystems.images', 'local_secure');
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
$result = $this->files->uploadGalleryImageToPage($this, $page);
|
||||
$expectedPath = storage_path($result['path']);
|
||||
$this->assertFileExists($expectedPath);
|
||||
|
||||
$this->get('/books');
|
||||
$this->assertEquals(url('/books'), session()->previousUrl());
|
||||
|
||||
$resp = $this->get($result['path']);
|
||||
$resp->assertOk();
|
||||
$resp->assertHeader('Content-Type', 'image/png');
|
||||
|
||||
$this->assertEquals(url('/books'), session()->previousUrl());
|
||||
|
||||
if (file_exists($expectedPath)) {
|
||||
unlink($expectedPath);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_system_images_remain_public_with_local_secure_restricted()
|
||||
{
|
||||
config()->set('filesystems.images', 'local_secure_restricted');
|
||||
|
Loading…
Reference in New Issue
Block a user