Exploitable Upload method in "UploadController.php"

[rebootcode]

Hi, there is no file upload validation check here :- https://github.com/UniSharp/laravel-filemanager/blob/master/src/controllers/UploadController.php#L40 ?

On given fact , "Upload" can be done with any method "GET|HEAD|POST|PUT|PATCH|DELETE" ??

[youchenlee]

Hi @rebootcode
The upload() method will be dispatched by routes.php and should be authendicated by Middlewares (https://github.com/UniSharp/laravel-filemanager/blob/master/src/routes.php#L6)

[rebootcode]

well, question is not about authentication, question is about uploadType , you should add file type allowed , as any user can upload "php" or other file type. @youchenlee

This is not question, this is security issue

[youchenlee]

@rebootcode Appreciate your suggestion. It would be great to have a whitelist of available MIME types or file extensions configurations.

[youchenlee]

The release 1.3.0-alpha should fix this.
I will close this issue after a few more tests.