Merge pull request #56 from apreiml/master

validate log file path
rap2hpoutre · Mar 10, 2016 · 111628d · 111628d
2 parents 120ed18 + 680b4fb
commit 111628d
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 14 deletions.
diff --git a/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php b/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
@@ -46,18 +46,27 @@ class LaravelLogViewer
      */
     public static function setFile($file)
     {
-        // if absolute path is given
+        $file = self::pathToLogFile($file);
+
         if (File::exists($file)) {
             self::$file = $file;
+        }
+    }
+
+    public static function pathToLogFile($file)
+    {
+        $logsPath = storage_path('logs');
 
-        // or check if file with given filename is in storage/logs folder
-        } else {
-            $file = storage_path() . '/logs/' . $file;
+        if (! File::exists($file)) { // try the absolute path
+            $file = $logsPath . '/' . $file;
+        }
 
-            if (File::exists($file)) {
-                self::$file = $file;
-            }
+        // check if requested file is really in the logs directory
+        if (dirname($file) !== $logsPath) {
+            throw new \Exception('No such log file');
         }
+
+        return $file;
     }
 
     /**

diff --git a/src/controllers/LogViewerController.php b/src/controllers/LogViewerController.php
@@ -8,20 +8,20 @@
 use Illuminate\Support\Facades\Request;
 use Illuminate\Support\Facades\Response;
 
-
 class LogViewerController extends Controller
 {
 
     public function index()
     {
+
         if (Request::input('l')) {
             LaravelLogViewer::setFile(base64_decode(Request::input('l')));
         }
 
         if (Request::input('dl')) {
-            return Response::download(storage_path() . '/logs/' . base64_decode(Request::input('dl')));
+            return Response::download(LaravelLogViewer::pathToLogFile(base64_decode(Request::input('dl'))));
         } elseif (Request::has('del')) {
-            File::delete(storage_path() . '/logs/' . base64_decode(Request::input('del')));
+            File::delete(LaravelLogViewer::pathToLogFile(base64_decode(Request::input('del'))));
             return Redirect::to(Request::url());
         }
 
@@ -33,5 +33,4 @@ public function index()
             'current_file' => LaravelLogViewer::getFileName()
         ]);
     }
-
 }
diff --git a/src/views/log.blade.php b/src/views/log.blade.php
@@ -8,7 +8,7 @@
 
     <!-- Bootstrap -->
     <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css">
-    <link rel="stylesheet" href="//cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.css">
+    <link rel="stylesheet" href="https://cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.css">
 
 
 
@@ -98,8 +98,8 @@
     </div>
     <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
-    <script src="//cdn.datatables.net/1.10.4/js/jquery.dataTables.min.js"></script>
-    <script src="//cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.js"></script>
+    <script src="https://cdn.datatables.net/1.10.4/js/jquery.dataTables.min.js"></script>
+    <script src="https://cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.js"></script>
     <script>
       $(document).ready(function(){
         $('#table-log').DataTable({