From 090fb2a2a15e703bfe09788ffe3d4be62f6df8c0 Mon Sep 17 00:00:00 2001 From: asylumdx Date: Tue, 24 Oct 2023 11:55:42 -0400 Subject: [PATCH 1/2] Add extension whitelist to company logo file name --- .../V1/Admin/Settings/CompanyController.php | 60 ++++++++++++------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/app/Http/Controllers/V1/Admin/Settings/CompanyController.php b/app/Http/Controllers/V1/Admin/Settings/CompanyController.php index 25381299e..d05a41822 100644 --- a/app/Http/Controllers/V1/Admin/Settings/CompanyController.php +++ b/app/Http/Controllers/V1/Admin/Settings/CompanyController.php @@ -56,41 +56,59 @@ public function updateCompany(CompanyRequest $request) return new CompanyResource($company); } +/** + * Upload the company logo to storage. + * + * @param \Crater\Http\Requests\CompanyLogoRequest $request + * @return \Illuminate\Http\JsonResponse + */ +public function uploadCompanyLogo(CompanyLogoRequest $request) +{ + $company = Company::find($request->header('company')); + $this->authorize('manage company', $company); - /** - * Upload the company logo to storage. - * - * @param \Crater\Http\Requests\CompanyLogoRequest $request - * @return \Illuminate\Http\JsonResponse - */ - public function uploadCompanyLogo(CompanyLogoRequest $request) - { - $company = Company::find($request->header('company')); + $data = json_decode($request->company_logo); - $this->authorize('manage company', $company); + if (isset($request->is_company_logo_removed) && (bool) $request->is_company_logo_removed) { + $company->clearMediaCollection('logo'); + } - $data = json_decode($request->company_logo); + if ($data) { + $company = Company::find($request->header('company')); - if (isset($request->is_company_logo_removed) && (bool) $request->is_company_logo_removed) { - $company->clearMediaCollection('logo'); - } - if ($data) { - $company = Company::find($request->header('company')); + if ($company) { + // Extract the file extension from the filename + $fileExtension = pathinfo($data->name, PATHINFO_EXTENSION); - if ($company) { + // Define an array of allowed extensions + $allowedExtensions = ['gif', 'png', 'jpeg']; + + // Check if the file extension is allowed + if (in_array($fileExtension, $allowedExtensions)) { $company->clearMediaCollection('logo'); $company->addMediaFromBase64($data->data) ->usingFileName($data->name) ->toMediaCollection('logo'); + + return response()->json([ + 'success' => true, + ]); + } else { + // File extension is not allowed + return response()->json([ + 'error' => 'Only .gif, .png, and .jpeg file extensions are allowed.', + ], 400); // You can set an appropriate HTTP status code for this case } } - - return response()->json([ - 'success' => true, - ]); } + return response()->json([ + 'success' => true, + ]); +} + + /** * Upload the Admin Avatar to public storage. * From 1dbae89b1bca66526c549f5fa198c61472a9dc53 Mon Sep 17 00:00:00 2001 From: hazmiae Date: Wed, 25 Oct 2023 15:48:04 +0800 Subject: [PATCH 2/2] Update CompanyController.php --- app/Http/Controllers/V1/Admin/Settings/CompanyController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/V1/Admin/Settings/CompanyController.php b/app/Http/Controllers/V1/Admin/Settings/CompanyController.php index d05a41822..aced870f9 100644 --- a/app/Http/Controllers/V1/Admin/Settings/CompanyController.php +++ b/app/Http/Controllers/V1/Admin/Settings/CompanyController.php @@ -98,7 +98,7 @@ public function uploadCompanyLogo(CompanyLogoRequest $request) // File extension is not allowed return response()->json([ 'error' => 'Only .gif, .png, and .jpeg file extensions are allowed.', - ], 400); // You can set an appropriate HTTP status code for this case + ], 400); } } }