use BookStack\Entities\Repos\PageRepo;
use BookStack\Uploads\Image;
-use BookStack\Entities\Page;
+use BookStack\Entities\Models\Page;
use BookStack\Uploads\ImageService;
use Illuminate\Support\Str;
use Tests\TestCase;
$relPath = $this->getTestImagePath('gallery', $fileName);
$this->deleteImage($relPath);
- $file = $this->getTestImage($fileName);
+ $file = $this->newTestImageFromBase64('bad-php.base64', $fileName);
$upload = $this->withHeader('Content-Type', 'image/jpeg')->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $file], []);
$upload->assertStatus(302);
$relPath = $this->getTestImagePath('gallery', $fileName);
$this->deleteImage($relPath);
- $file = $this->getTestImage($fileName);
+ $file = $this->newTestImageFromBase64('bad-phtml.base64', $fileName);
$upload = $this->withHeader('Content-Type', 'image/jpeg')->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $file], []);
$upload->assertStatus(302);
$this->assertFalse(file_exists(public_path($relPath)), 'Uploaded php file was uploaded but should have been stopped');
}
- public function test_files_with_double_extensions_cannot_be_uploaded()
+ public function test_files_with_double_extensions_will_get_sanitized()
{
- $page = Page::first();
+ $page = Page::query()->first();
$admin = $this->getAdmin();
$this->actingAs($admin);
$fileName = 'bad.phtml.png';
$relPath = $this->getTestImagePath('gallery', $fileName);
- $this->deleteImage($relPath);
+ $expectedRelPath = dirname($relPath) . '/bad-phtml.png';
+ $this->deleteImage($expectedRelPath);
- $file = $this->getTestImage($fileName);
+ $file = $this->newTestImageFromBase64('bad-phtml-png.base64', $fileName);
$upload = $this->withHeader('Content-Type', 'image/png')->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $file], []);
- $upload->assertStatus(302);
+ $upload->assertStatus(200);
+
+ $lastImage = Image::query()->latest('id')->first();
+
+ $this->assertEquals('bad.phtml.png', $lastImage->name);
+ $this->assertEquals('bad-phtml.png', basename($lastImage->path));
+ $this->assertFileDoesNotExist(public_path($relPath), 'Uploaded image file name was not stripped of dots');
+ $this->assertFileExists(public_path($expectedRelPath));
- $this->assertFalse(file_exists(public_path($relPath)), 'Uploaded double extension file was uploaded but should have been stopped');
+ $this->deleteImage($lastImage->path);
+ }
+
+ public function test_url_entities_removed_from_filenames()
+ {
+ $this->asEditor();
+ $badNames = [
+ "bad-char-#-image.png",
+ "bad-char-?-image.png",
+ "?#.png",
+ "?.png",
+ "#.png",
+ ];
+ foreach ($badNames as $name) {
+ $galleryFile = $this->getTestImage($name);
+ $page = Page::first();
+ $badPath = $this->getTestImagePath('gallery', $name);
+ $this->deleteImage($badPath);
+
+ $upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
+ $upload->assertStatus(200);
+
+ $lastImage = Image::query()->latest('id')->first();
+ $newFileName = explode('.', basename($lastImage->path))[0];
+
+ $this->assertEquals($lastImage->name, $name);
+ $this->assertFalse(strpos($lastImage->path, $name), 'Path contains original image name');
+ $this->assertFalse(file_exists(public_path($badPath)), 'Uploaded image file name was not stripped of url entities');
+
+ $this->assertTrue(strlen($newFileName) > 0, 'File name was reduced to nothing');
+
+ $this->deleteImage($lastImage->path);
+ }
}
public function test_secure_images_uploads_to_correct_place()
$this->deleteImage($relPath);
}
-}
\ No newline at end of file
+}
projects / bookstack / blobdiff