loviuz/openstamanager
loviuz
/
openstamanager
mirror of https://github.com/devcode-it/openstamanager.git
1
0
Fork 0
Code Issues Releases Activity

Fix problema di sicurezza upload file svg e xml

This commit is contained in:
loviuz 2021-07-04 20:02:16 +02:00
parent 9011409cc1
commit 7ec0bbe4bb
2 changed files with 65 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Models/Upload.php
View File

@ -206,7 +206,7 @@ class Upload extends Model
*/ */
public function isImage() public function isImage()
{ {
$list = ['jpg', 'png', 'gif', 'jpeg', 'bmp']; $list = ['jpg', 'png', 'gif', 'jpeg', 'bmp', 'svg'];
return in_array($this->extension, $list); return in_array($this->extension, $list);
} }

119
view.php
View File

@ -29,66 +29,75 @@ if (empty($file)) {
$link = base_path().'/'.$file->filepath; $link = base_path().'/'.$file->filepath;
if ($file->isFatturaElettronica()) { // Force download of the file
$content = file_get_contents(base_dir().'/'.$file->filepath); if (get('force') == '1') {
header('Content-Type: application/octet-stream');
// Individuazione stylesheet header("Content-Transfer-Encoding: Binary");
$default_stylesheet = 'asso-invoice'; header("Content-disposition: attachment; filename=\"" . basename($file->original_name) . "\"");
readfile($docroot.'/'.$file->filepath);
$name = basename($file->original_name); exit();
$filename = explode('.', $name)[0];
$pieces = explode('_', $filename);
$stylesheet = $pieces[2];
$stylesheet = base_dir().'/plugins/xml/'.$stylesheet.'.xsl';
$stylesheet = file_exists($stylesheet) ? $stylesheet : base_dir().'/plugins/xml/'.$default_stylesheet.'.xsl';
// XML
$xml = new DOMDocument();
$xml->loadXML($content);
// XSL
$xsl = new DOMDocument();
$xsl->load($stylesheet);
// XSLT
$xslt = new XSLTProcessor();
$xslt->importStylesheet($xsl);
echo '
<style>
#notifica {
min-width: 860px !important;
}
</style>';
echo $xslt->transformToXML($xml);
} else { } else {
echo ' if ($file->isFatturaElettronica()) {
<style> $content = file_get_contents(base_dir().'/'.$file->filepath);
body, iframe, img{
border: 0; // Individuazione stylesheet
margin: 0; $default_stylesheet = 'asso-invoice';
max-width: 100%;
} $name = basename($file->original_name);
iframe{ $filename = explode('.', $name)[0];
width:100%; $pieces = explode('_', $filename);
height:100%; $stylesheet = $pieces[2];
min-height: 500px;
} $stylesheet = base_dir().'/plugins/xml/'.$stylesheet.'.xsl';
</style>'; $stylesheet = file_exists($stylesheet) ? $stylesheet : base_dir().'/plugins/xml/'.$default_stylesheet.'.xsl';
// XML
$xml = new DOMDocument();
$xml->loadXML($content);
// XSL
$xsl = new DOMDocument();
$xsl->load($stylesheet);
// XSLT
$xslt = new XSLTProcessor();
$xslt->importStylesheet($xsl);
if ($file->isImage()) {
echo ' echo '
<img src="'.$link.'"></img>'; <style>
} else { #notifica {
if ($file->isPDF()) { min-width: 860px !important;
$src = \Prints::getPDFLink($file->filepath);
} }
</style>';
echo $xslt->transformToXML($xml);
} else {
echo ' echo '
<iframe src="'.($link ?: $src).'"> <style>
<a src="'.$link.'">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a> body, iframe, img{
</iframe>'; border: 0;
margin: 0;
max-width: 100%;
}
iframe{
width:100%;
height:100%;
min-height: 500px;
}
</style>';
if ($file->isImage()) {
echo '
<img src="'.$link.'"></img>';
} else {
if ($file->isPDF()) {
$src = \Prints::getPDFLink($file->filepath);
}
echo '
<iframe src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">
<a src="'.base_path().'/view.php?file_id='.$file_id.'&force=1">'.tr('Il browser non supporta i contenuti iframe: clicca qui per raggiungere il file originale').'</a>
</iframe>';
}
} }
} }