Skip to content
Permalink
Browse files Browse the repository at this point in the history
Disallow uploads from localhost
  • Loading branch information
brian-kephart committed Oct 12, 2021
1 parent c8fe87c commit 5a252d5
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
19 changes: 18 additions & 1 deletion app/controllers/camaleon_cms/admin/media_controller.rb
Expand Up @@ -4,6 +4,15 @@ class CamaleonCms::Admin::MediaController < CamaleonCms::AdminController
skip_before_action :verify_authenticity_token, only: :upload, raise: false
before_action :init_media_vars, except: :download_private_file

LOCALHOST_DOMAIN_MATCHER = %r{
localhost|
127\.0\.0\.1|
0\.0\.0\.0|
0x7f\.0x0\.0x0\.0x1| # hex encoding
0177\.0\.0\.01| # octal encoding
2130706433 # dword encoding
}x

# render media section
def index
authorize! :manage, :media
Expand Down Expand Up @@ -67,7 +76,11 @@ def actions
unless params[:url].start_with?('data:')
params[:url] = (params[:url].start_with?('http') ? '' : current_site.the_url(locale: nil)) + params[:url]
end
r = cama_tmp_upload( params[:url], formats: params[:formats], name: params[:name])
r = if local_url?(params[:url])
{ error: t("camaleon_cms.admin.media.local_upload_denied") }
else
cama_tmp_upload( params[:url], formats: params[:formats], name: params[:name])
end
unless r[:error].present?
params[:file_upload] = r[:file_path]
sett = {remove_source: true}
Expand All @@ -80,6 +93,10 @@ def actions
end
end

def local_url?(url)
url.try :match?, LOCALHOST_DOMAIN_MATCHER
end

# upload files from media uploader
def upload(settings = {})
params[:dimension] = nil if params[:skip_auto_crop].present?
Expand Down
1 change: 1 addition & 0 deletions config/locales/camaleon_cms/admin/en.yml
Expand Up @@ -212,6 +212,7 @@ en:
reload: 'Reload'
clear_cache: 'Clear Cache'
name_required: 'File name is required'
local_upload_denied: 'Cannot upload from localhost'
menus:
menus: Menus
link_url: 'Link URL'
Expand Down

0 comments on commit 5a252d5

Please sign in to comment.