colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,868 Commits 1 Branch 0 Tags 48 MiB
Commit Graph

32 Commits

Author SHA1 Message Date
Dan Brown 43830a372f
Updated showImage file serving to not be traversable 
For #3030
 2021-10-31 23:53:17 +00:00
Dan Brown a9b3df537f
Applied changes from styleci 2021-10-08 22:23:17 +01:00
Dan Brown 7224fbcc89
Added protections against path traversal in file system operations 
- Files within the storage/ path could be accessed via path traversal
  references in content, accessed upon HTML export.
- This addresses this via two layers:
  - Scoped local flysystem filesystems down to the specific image &
    file folders since flysystem has built-in checking against the
    escaping of the root folder.
  - Added path normalization before enforcement of uploads/{images,file}
    prefix to prevent traversal at a path level.

Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
 2021-10-08 17:47:14 +01:00
Dan Brown 05d99a312d
Applied styleci changes 2021-09-26 15:48:22 +01:00
Dan Brown c32b315cd7
Standardised facade usage to use via their FQCN 
Done via Laravel Shift Workbench
 2021-09-26 15:37:55 +01:00
Dan Brown 934a833818 Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Dan Brown 2c3523f6a1
Updated image permission setting logic 
To ensure thhat the visibility is still set on local storage options
since the previous recent changes could cause problems where in
scenarios where the server user could not read images uploaded by the
php process user.

Closes #2758
 2021-05-24 12:09:28 +01:00
Dan Brown c1f070a136
Handle acl set of images differently for s3 and s3-like 
Related to #2739
 2021-05-15 17:25:51 +01:00
Dan Brown f8cdd6e80d
Reduced calls for s3-based uploads 
Combined the public ACL update into the put operation.
 2021-04-27 20:36:42 +01:00
Dan Brown 60ffe6a993 Updated packages and added better upload failure logging 
To fix #2689
Updates all packages but mainly focused on aws-sdk
 2021-04-19 20:16:49 +01:00
Dan Brown 215c69acb2 Merge image name cleaning functions 
Updated testing for changes and to check existing of new expected file
name.
Related to #2611
 2021-03-14 23:20:21 +00:00
Timo Förster 745d15d200
Allow uploads of files containing dots in filename. Closes BookStackApp/BookStack#2217 2021-03-04 22:27:20 +01:00
Dan Brown 4e82d93350
Updated wording of image cleanup option 
As per #2352
 2020-12-18 22:59:47 +00:00
Dan Brown 00308ad4ab
Cleaned up some user/image areas of the app 
Further cleanup of docblocks and standardisation of repos.
 2020-12-08 23:46:38 +00:00
Dan Brown 884664bfe9
Ensured base64 images are read from image upload folder 
Also removed unused storage systems and updated testing.
 2020-12-06 15:34:18 +00:00
Dan Brown 8911e3f441
Removed http fetching from image base64 generation 2020-12-06 14:24:22 +00:00
Dan Brown 7d38c96a23
Removed generic "UploadService" which was doing very little 2020-12-06 12:58:40 +00:00
Dan Brown 8213ea9a71
Fixed issue where URL params in image names would cause loading failure 
Updated file name handling to route through str:slug to be cleaned up
a little.
Added testing to cover.

Fixes #2161
 2020-07-25 11:18:40 +01:00
Dan Brown b6aa232205
Fixed issue where more images than expected could be deleted 
When deleting images, images within the same directory, that have
a suffix of the delete image name, would also be deleted.

Added test to cover.
 2020-07-24 23:41:59 +01:00
Dan Brown 32e7f0a2e6
Made display thumbnail generation use original data if smaller 
Thumbnail generation would sometimes create a file larger than the
original, if the original was already well optimized, therefore making
the thumbnail counter-productive. This change compares the sizes of the
original and the generated thumbnail, and uses the smaller of the two if
the thumbnail does not change the aspect ratio of the image.

Fixes #1751
 2019-12-22 12:44:49 +00:00
Dan Brown 140298bd96
Updated to Laravel 5.8 2019-09-13 23:58:40 +01:00
Dan Brown 4b0c4e621a
Replaced use of custom 'baseUrl' helper with 'url' 
Also changed up how base URL setting was being done
by manipulating incoming request URLs instead of
altering then on generation.
 2019-08-04 14:26:39 +01:00
Dan Brown 1e7df28238
Set export service to set correct svg image mimetype 
For #1538
 2019-07-17 22:37:19 +01:00
Dan Brown 762d1d7595
Allowed different storage types for images and attachments 
- Added new env and config vars to allow this.
- Also added tests for awkward config logic including fallback for new
env vars.

Closes #1302
 2019-06-23 16:01:15 +01:00
Dan Brown 3f83c548f8
Ran phpcbf 2019-05-05 14:54:37 +01:00
Dan Brown 8c190324ac
Updated existing image tests to reflect changes 
- Also added some new tests
 2019-05-04 18:11:19 +01:00
Dan Brown 79f6dc00a3
Change image-selector to not use manager 
- Now changes the images directly for user, system & cover.
- Extra permission checks added to edit & delete actions.
 2019-05-04 15:50:29 +01:00
Dan Brown 68017e2553
Added testing for avatar fetching systems & config 
Abstracts imageservice http interaction.
Closes #1193
 2018-12-23 15:34:38 +00:00
Dan Brown b56fc21aaf
Abstracted user avatar fetching away from gravatar 
Still uses gravatar as a default.
Updated URL placeholders to follow LDAP format.
Potential breaking config change: `GRAVATAR=false` replaced by `AVATAR_URL=false`
Builds upon #1111
 2018-12-22 19:29:19 +00:00
Vinrobot 5e6c039b08
Added config to change Gravatar URL 2018-11-10 16:11:11 +01:00
Dan Brown 257a5a23ec
Fleshed out entity provided and optimized imports 2018-09-25 16:58:03 +01:00
Dan Brown 919660678b
Re-structured the app code to be feature based rather than code type based 2018-09-25 12:30:50 +01:00