From 44f7fbb13eabc0d1571455b3e68a812a617c3691 Mon Sep 17 00:00:00 2001
From: Armin Preiml <apreiml@strohwolke.at>
Date: Mon, 29 Feb 2016 16:27:20 +0100
Subject: [PATCH 1/5] validate log file path

---
 .../LaravelLogViewer/LaravelLogViewer.php     | 23 +++++++++++++------
 src/controllers/LogViewerController.php       | 15 ++++++------
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php b/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
index d41ef63..7470e9f 100644
--- a/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
+++ b/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
@@ -46,18 +46,27 @@ class LaravelLogViewer
      */
     public static function setFile($file)
     {
-        // if absolute path is given
+        $file = self::pathToLogFile($file);
+
         if (File::exists($file)) {
             self::$file = $file;
+        }
+    }
+
+    public static function pathToLogFile($file)
+    {
+        $logsPath = storage_path('logs');
 
-        // or check if file with given filename is in storage/logs folder
-        } else {
-            $file = storage_path() . '/logs/' . $file;
+        if (! File::exists($file)) { // try the absolute path
+            $file = $logsPath . '/' . $file;
+        }
 
-            if (File::exists($file)) {
-                self::$file = $file;
-            }
+        // check if requested file is really in the logs directory
+        if (dirname($file) !== $logsPath) {
+            throw new \Exception('No such log file');
         }
+
+        return $file;
     }
 
     /**
diff --git a/src/controllers/LogViewerController.php b/src/controllers/LogViewerController.php
index ca580da..20ff21f 100644
--- a/src/controllers/LogViewerController.php
+++ b/src/controllers/LogViewerController.php
@@ -7,6 +7,7 @@
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\Request;
 use Illuminate\Support\Facades\Response;
+use Input;
 
 
 class LogViewerController extends Controller
@@ -14,14 +15,15 @@ class LogViewerController extends Controller
 
     public function index()
     {
-        if (Request::input('l')) {
-            LaravelLogViewer::setFile(base64_decode(Request::input('l')));
+
+        if (Input::get('l')) {
+            LaravelLogViewer::setFile(base64_decode(Input::get('l')));
         }
 
-        if (Request::input('dl')) {
-            return Response::download(storage_path() . '/logs/' . base64_decode(Request::input('dl')));
-        } elseif (Request::has('del')) {
-            File::delete(storage_path() . '/logs/' . base64_decode(Request::input('del')));
+        if (Input::get('dl')) {
+            return Response::download(LaravelLogViewer::pathToLogFile(base64_decode(Input::get('dl'))));
+        } elseif (Input::has('del')) {
+            File::delete(LaravelLogViewer::pathToLogFile(base64_decode(Input::get('del'))));
             return Redirect::to(Request::url());
         }
 
@@ -33,5 +35,4 @@ public function index()
             'current_file' => LaravelLogViewer::getFileName()
         ]);
     }
-
 }

From 8c8d96c0a7df1b6762ecc0e6a1a32336a05a6890 Mon Sep 17 00:00:00 2001
From: Armin Preiml <apreiml@strohwolke.at>
Date: Mon, 29 Feb 2016 16:41:10 +0100
Subject: [PATCH 2/5] enforce https for js cdn urls

---
 src/views/log.blade.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/views/log.blade.php b/src/views/log.blade.php
index 3e2e81d..1f497ae 100644
--- a/src/views/log.blade.php
+++ b/src/views/log.blade.php
@@ -8,7 +8,7 @@
 
     <!-- Bootstrap -->
     <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css">
-    <link rel="stylesheet" href="//cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.css">
+    <link rel="stylesheet" href="https://cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.css">
 
 
 
@@ -98,8 +98,8 @@
     </div>
     <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
-    <script src="//cdn.datatables.net/1.10.4/js/jquery.dataTables.min.js"></script>
-    <script src="//cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.js"></script>
+    <script src="https://cdn.datatables.net/1.10.4/js/jquery.dataTables.min.js"></script>
+    <script src="https://cdn.datatables.net/plug-ins/9dcbecd42ad/integration/bootstrap/3/dataTables.bootstrap.js"></script>
     <script>
       $(document).ready(function(){
         $('#table-log').DataTable({

From da455e6cf3eadc129212779f43e0ddc82cd2f4c8 Mon Sep 17 00:00:00 2001
From: apreiml <apreiml@strohwolke.at>
Date: Thu, 10 Mar 2016 10:19:15 +0100
Subject: [PATCH 3/5] change Input::get to Request::input

---
 src/controllers/LogViewerController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/controllers/LogViewerController.php b/src/controllers/LogViewerController.php
index 20ff21f..c310c50 100644
--- a/src/controllers/LogViewerController.php
+++ b/src/controllers/LogViewerController.php
@@ -17,13 +17,13 @@ public function index()
     {
 
         if (Input::get('l')) {
-            LaravelLogViewer::setFile(base64_decode(Input::get('l')));
+            LaravelLogViewer::setFile(base64_decode(Request::input('l')));
         }
 
         if (Input::get('dl')) {
-            return Response::download(LaravelLogViewer::pathToLogFile(base64_decode(Input::get('dl'))));
+            return Response::download(LaravelLogViewer::pathToLogFile(base64_decode(Request::input('dl'))));
         } elseif (Input::has('del')) {
-            File::delete(LaravelLogViewer::pathToLogFile(base64_decode(Input::get('del'))));
+            File::delete(LaravelLogViewer::pathToLogFile(base64_decode(Request::input('del'))));
             return Redirect::to(Request::url());
         }
 

From eccfcfb35a3a7996cb950b1a4b56a43a55333e8d Mon Sep 17 00:00:00 2001
From: apreiml <apreiml@strohwolke.at>
Date: Thu, 10 Mar 2016 10:30:25 +0100
Subject: [PATCH 4/5] fixed remaining Input Facades

---
 src/controllers/LogViewerController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/controllers/LogViewerController.php b/src/controllers/LogViewerController.php
index c310c50..817c5b7 100644
--- a/src/controllers/LogViewerController.php
+++ b/src/controllers/LogViewerController.php
@@ -16,13 +16,13 @@ class LogViewerController extends Controller
     public function index()
     {
 
-        if (Input::get('l')) {
+        if (Request::input('l')) {
             LaravelLogViewer::setFile(base64_decode(Request::input('l')));
         }
 
-        if (Input::get('dl')) {
+        if (Request::input('dl')) {
             return Response::download(LaravelLogViewer::pathToLogFile(base64_decode(Request::input('dl'))));
-        } elseif (Input::has('del')) {
+        } elseif (Request::has('del')) {
             File::delete(LaravelLogViewer::pathToLogFile(base64_decode(Request::input('del'))));
             return Redirect::to(Request::url());
         }

From 680b4fb3dec0f398d6b0138b5e827a650c537651 Mon Sep 17 00:00:00 2001
From: apreiml <apreiml@strohwolke.at>
Date: Thu, 10 Mar 2016 10:33:46 +0100
Subject: [PATCH 5/5] remove unused import

---
 src/controllers/LogViewerController.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/controllers/LogViewerController.php b/src/controllers/LogViewerController.php
index 817c5b7..236b54f 100644
--- a/src/controllers/LogViewerController.php
+++ b/src/controllers/LogViewerController.php
@@ -7,8 +7,6 @@
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\Request;
 use Illuminate\Support\Facades\Response;
-use Input;
-
 
 class LogViewerController extends Controller
 {