1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-11-23 03:12:32 +01:00

Sessions: Prevent image urls being part of session URL history

To prevent them being considered for redirects.
Includes test to cover.
For #4863
This commit is contained in:
Dan Brown 2024-02-22 11:22:08 +00:00
parent 055bbf17de
commit a75d5b8bc1
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 58 additions and 1 deletions

View File

@ -28,7 +28,7 @@ class Kernel extends HttpKernel
\BookStack\Http\Middleware\ApplyCspRules::class,
\BookStack\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\BookStack\Http\Middleware\StartSessionExtended::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\BookStack\Http\Middleware\VerifyCsrfToken::class,
\BookStack\Http\Middleware\CheckEmailConfirmed::class,

View File

@ -0,0 +1,34 @@
<?php
namespace BookStack\Http\Middleware;
use Illuminate\Http\Request;
use Illuminate\Session\Middleware\StartSession as Middleware;
/**
* An extended version of the default Laravel "StartSession" middleware
* with customizations applied as required:
*
* - Adds filtering for the request URLs stored in session history.
*/
class StartSessionExtended extends Middleware
{
protected static array $pathPrefixesExcludedFromHistory = [
'uploads/images/'
];
/**
* @inheritdoc
*/
protected function storeCurrentUrl(Request $request, $session): void
{
$requestPath = strtolower($request->path());
foreach (static::$pathPrefixesExcludedFromHistory as $excludedPath) {
if (str_starts_with($requestPath, $excludedPath)) {
return;
}
}
parent::storeCurrentUrl($request, $session);
}
}

View File

@ -383,6 +383,29 @@ class ImageTest extends TestCase
}
}
public function test_secure_images_not_tracked_in_session_history()
{
config()->set('filesystems.images', 'local_secure');
$this->asEditor();
$page = $this->entities->page();
$result = $this->files->uploadGalleryImageToPage($this, $page);
$expectedPath = storage_path($result['path']);
$this->assertFileExists($expectedPath);
$this->get('/books');
$this->assertEquals(url('/books'), session()->previousUrl());
$resp = $this->get($result['path']);
$resp->assertOk();
$resp->assertHeader('Content-Type', 'image/png');
$this->assertEquals(url('/books'), session()->previousUrl());
if (file_exists($expectedPath)) {
unlink($expectedPath);
}
}
public function test_system_images_remain_public_with_local_secure_restricted()
{
config()->set('filesystems.images', 'local_secure_restricted');