loviuz/openstamanager
loviuz
/
openstamanager
mirror of https://github.com/devcode-it/openstamanager.git
1
0
Fork 0
Code Issues Releases Activity

Fix problema di sicurezza upload file svg e xml

This commit is contained in:
loviuz 2021-07-04 20:02:16 +02:00
parent 9011409cc1
commit 7ec0bbe4bb
2 changed files with 65 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Models/Upload.php
View File

@ -206,7 +206,7 @@ class Upload extends Model
*/
public function isImage()
{
$list = ['jpg', 'png', 'gif', 'jpeg', 'bmp'];
$list = ['jpg', 'png', 'gif', 'jpeg', 'bmp', 'svg'];
return in_array($this->extension, $list);
}

119
view.php
View File

@ -29,66 +29,75 @@ if (empty($file)) {
$link = base_path().'/'.$file->filepath;
if ($file->isFatturaElettronica()) {
$content = file_get_contents(base_dir().'/'.$file->filepath);
// Individuazione stylesheet
$default_stylesheet = 'asso-invoice';
$name = basename($file->original_name);
$filename = explode('.', $name)[0];
$pieces = explode('_', $filename);
$stylesheet = $pieces[2];
$stylesheet = base_dir().'/plugins/xml/'.$stylesheet.'.xsl';
$stylesheet = file_exists($stylesheet) ? $stylesheet : base_dir().'/plugins/xml/'.$default_stylesheet.'.xsl';
// XML
$xml = new DOMDocument();
$xml->loadXML($content);
// XSL
$xsl = new DOMDocument();
$xsl->load($stylesheet);
// XSLT
$xslt = new XSLTProcessor();
$xslt->importStylesheet($xsl);
echo '
<style>
#notifica {
min-width: 860px !important;
}
</style>';
echo $xslt->transformToXML($xml);
// Force download of the file
if (get('force') == '1') {
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"" . basename($file->original_name) . "\"");
readfile($docroot.'/'.$file->filepath);
exit();
} else {
echo '
<style>
body, iframe, img{
border: 0;
margin: 0;
max-width: 100%;
}
iframe{
width:100%;
height:100%;
min-height: 500px;
}
</style>';
if ($file->isFatturaElettronica()) {
$content = file_get_contents(base_dir().'/'.$file->filepath);
// Individuazione stylesheet
$default_stylesheet = 'asso-invoice';
$name = basename($file->original_name);
$filename = explode('.', $name)[0];
$pieces = explode('_', $filename);
$stylesheet = $pieces[2];
$stylesheet = base_dir().'/plugins/xml/'.$stylesheet.'.xsl';
$stylesheet = file_exists($stylesheet) ? $stylesheet : base_dir().'/plugins/xml/'.$default_stylesheet.'.xsl';
// XML
$xml = new DOMDocument();
$xml->loadXML($content);
// XSL
$xsl = new DOMDocument();
$xsl->load($stylesheet);
// XSLT
$xslt = new XSLTProcessor();
$xslt->importStylesheet($xsl);
if ($file->isImage()) {
echo '
<img src="'.$link.'"></img>';
} else {
if ($file->isPDF()) {
$src = \Prints::getPDFLink($file->filepath);
<style>
#notifica {
min-width: 860px !important;
}
</style>';
echo $xslt->transformToXML($xml);
} else {
echo '
<iframe src="'.($link ?: $src).'">
<a src="'.$link.'">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a>
</iframe>';
<style>
body, iframe, img{
border: 0;
margin: 0;
max-width: 100%;
}
iframe{
width:100%;
height:100%;
min-height: 500px;
}
</style>';
if ($file->isImage()) {
echo '
<img src="'.$link.'"></img>';
} else {
if ($file->isPDF()) {
$src = \Prints::getPDFLink($file->filepath);
}
echo '
<iframe src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">
<a src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a>
</iframe>';
}
}
}