Fix problema di sicurezza upload file svg e xml

This commit is contained in:
loviuz 2021-07-04 20:02:16 +02:00
parent 9011409cc1
commit 7ec0bbe4bb
2 changed files with 65 additions and 56 deletions

View File

@ -206,7 +206,7 @@ class Upload extends Model
*/ */
public function isImage() public function isImage()
{ {
$list = ['jpg', 'png', 'gif', 'jpeg', 'bmp']; $list = ['jpg', 'png', 'gif', 'jpeg', 'bmp', 'svg'];
return in_array($this->extension, $list); return in_array($this->extension, $list);
} }

View File

@ -29,6 +29,14 @@ if (empty($file)) {
$link = base_path().'/'.$file->filepath; $link = base_path().'/'.$file->filepath;
// Force download of the file
if (get('force') == '1') {
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"" . basename($file->original_name) . "\"");
readfile($docroot.'/'.$file->filepath);
exit();
} else {
if ($file->isFatturaElettronica()) { if ($file->isFatturaElettronica()) {
$content = file_get_contents(base_dir().'/'.$file->filepath); $content = file_get_contents(base_dir().'/'.$file->filepath);
@ -87,8 +95,9 @@ if ($file->isFatturaElettronica()) {
} }
echo ' echo '
<iframe src="'.($link ?: $src).'"> <iframe src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">
<a src="'.$link.'">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a> <a src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a>
</iframe>'; </iframe>';
} }
} }
}