Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ensure that only files with the extensions listed in `allowedFileExte…
…nsions` General Config setting can be used with the SEO File Link controller

Signed-off-by: Andrew Welch <andrew@nystudio107.com>
  • Loading branch information
khalwat committed Sep 24, 2021
1 parent c078e70 commit 5f2cdc7
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/controllers/FileController.php
Expand Up @@ -15,12 +15,15 @@
use nystudio107\seomatic\Seomatic;

use Craft;
use craft\elements\Asset;
use craft\helpers\FileHelper;
use craft\helpers\Assets as AssetsHelper;
use craft\web\Controller;

use yii\web\NotFoundHttpException;
use yii\web\HttpException;
use yii\web\Response;
use yii\web\ServerErrorHttpException;

/**
* @author nystudio107
Expand Down Expand Up @@ -87,6 +90,15 @@ public function actionSeoFileLink($url, $robots = '', $canonical = '', $inline =
$headerValue = '<'.$canonical.'>; rel="canonical"';
$response->headers->add('Link', $headerValue);
}
// Ensure the file type is allowed
// ref: https://craftcms.com/docs/3.x/config/config-settings.html#allowedfileextensions
$allowedExtensions = Craft::$app->getConfig()->getGeneral()->allowedFileExtensions;
if (($ext = pathinfo($fileName, PATHINFO_EXTENSION)) !== '') {
$ext = strtolower($ext);
}
if ($ext === '' || !in_array($ext, $allowedExtensions, true)) {
throw new ServerErrorHttpException(Craft::t('seomatic', 'File format not allowed.'));
}
// Send the file as a stream, so it can exist anywhere
$response->sendContentAsFile(
$contents,
Expand Down

0 comments on commit 5f2cdc7

Please sign in to comment.