Skip to content
Permalink
Browse files
Fix problema di sicurezza upload file svg e xml
  • Loading branch information
loviuz committed Jul 4, 2021
1 parent 9011409 commit 7ec0bbe4bba04abed18e507e82016f41ab6dbe23
Showing with 60 additions and 51 deletions.
  1. +1 −1 src/Models/Upload.php
  2. +59 −50 view.php
@@ -206,7 +206,7 @@ public function getContent()
*/
public function isImage()
{
$list = ['jpg', 'png', 'gif', 'jpeg', 'bmp'];
$list = ['jpg', 'png', 'gif', 'jpeg', 'bmp', 'svg'];

return in_array($this->extension, $list);
}
109 view.php
@@ -29,66 +29,75 @@

$link = base_path().'/'.$file->filepath;

if ($file->isFatturaElettronica()) {
$content = file_get_contents(base_dir().'/'.$file->filepath);

// Individuazione stylesheet
$default_stylesheet = 'asso-invoice';

$name = basename($file->original_name);
$filename = explode('.', $name)[0];
$pieces = explode('_', $filename);
$stylesheet = $pieces[2];
// Force download of the file
if (get('force') == '1') {
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"" . basename($file->original_name) . "\"");
readfile($docroot.'/'.$file->filepath);
exit();
} else {
if ($file->isFatturaElettronica()) {
$content = file_get_contents(base_dir().'/'.$file->filepath);

$stylesheet = base_dir().'/plugins/xml/'.$stylesheet.'.xsl';
$stylesheet = file_exists($stylesheet) ? $stylesheet : base_dir().'/plugins/xml/'.$default_stylesheet.'.xsl';
// Individuazione stylesheet
$default_stylesheet = 'asso-invoice';

// XML
$xml = new DOMDocument();
$xml->loadXML($content);
$name = basename($file->original_name);
$filename = explode('.', $name)[0];
$pieces = explode('_', $filename);
$stylesheet = $pieces[2];

// XSL
$xsl = new DOMDocument();
$xsl->load($stylesheet);
$stylesheet = base_dir().'/plugins/xml/'.$stylesheet.'.xsl';
$stylesheet = file_exists($stylesheet) ? $stylesheet : base_dir().'/plugins/xml/'.$default_stylesheet.'.xsl';

// XSLT
$xslt = new XSLTProcessor();
$xslt->importStylesheet($xsl);
// XML
$xml = new DOMDocument();
$xml->loadXML($content);

echo '
<style>
#notifica {
min-width: 860px !important;
}
</style>';
// XSL
$xsl = new DOMDocument();
$xsl->load($stylesheet);

echo $xslt->transformToXML($xml);
} else {
echo '
<style>
body, iframe, img{
border: 0;
margin: 0;
max-width: 100%;
}
iframe{
width:100%;
height:100%;
min-height: 500px;
}
</style>';
// XSLT
$xslt = new XSLTProcessor();
$xslt->importStylesheet($xsl);

if ($file->isImage()) {
echo '
<img src="'.$link.'"></img>';
} else {
if ($file->isPDF()) {
$src = \Prints::getPDFLink($file->filepath);
<style>
#notifica {
min-width: 860px !important;
}
</style>';

echo $xslt->transformToXML($xml);
} else {
echo '
<iframe src="'.($link ?: $src).'">
<a src="'.$link.'">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a>
</iframe>';
<style>
body, iframe, img{
border: 0;
margin: 0;
max-width: 100%;
}
iframe{
width:100%;
height:100%;
min-height: 500px;
}
</style>';

if ($file->isImage()) {
echo '
<img src="'.$link.'"></img>';
} else {
if ($file->isPDF()) {
$src = \Prints::getPDFLink($file->filepath);
}

echo '
<iframe src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">
<a src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a>
</iframe>';
}
}
}

0 comments on commit 7ec0bbe

Please sign in to comment.