Sessions: Prevent image urls being part of session URL history

To prevent them being considered for redirects.
Includes test to cover.
For #4863

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 1b96ff3db66e4e4222065d0df3de754104ae4817..d23f56a2cf9c6857784f0487710f59826d01ea67 100644 (file)
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -28,7 +28,7 @@ class Kernel extends HttpKernel
             \BookStack\Http\Middleware\ApplyCspRules::class,
             \BookStack\Http\Middleware\EncryptCookies::class,
             \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
-            \Illuminate\Session\Middleware\StartSession::class,
+            \BookStack\Http\Middleware\StartSessionExtended::class,
             \Illuminate\View\Middleware\ShareErrorsFromSession::class,
             \BookStack\Http\Middleware\VerifyCsrfToken::class,
             \BookStack\Http\Middleware\CheckEmailConfirmed::class,

diff --git a/app/Http/Middleware/StartSessionExtended.php b/app/Http/Middleware/StartSessionExtended.php
new file mode 100644 (file)
index 0000000..26cd250
--- /dev/null
+++ b/app/Http/Middleware/StartSessionExtended.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace BookStack\Http\Middleware;
+
+use Illuminate\Http\Request;
+use Illuminate\Session\Middleware\StartSession as Middleware;
+
+/**
+ * An extended version of the default Laravel "StartSession" middleware
+ * with customizations applied as required:
+ *
+ * - Adds filtering for the request URLs stored in session history.
+ */
+class StartSessionExtended extends Middleware
+{
+    protected static array $pathPrefixesExcludedFromHistory = [
+        'uploads/images/'
+    ];
+
+    /**
+     * @inheritdoc
+     */
+    protected function storeCurrentUrl(Request $request, $session): void
+    {
+        $requestPath = strtolower($request->path());
+        foreach (static::$pathPrefixesExcludedFromHistory as $excludedPath) {
+            if (str_starts_with($requestPath, $excludedPath)) {
+                return;
+            }
+        }
+
+        parent::storeCurrentUrl($request, $session);
+    }
+}

diff --git a/tests/Uploads/ImageTest.php b/tests/Uploads/ImageTest.php
index af249951f3038d836ed5a27958801fe7dbc93cf9..d24b6202b3770d4adf235d7a19f2dbe6a824e4a2 100644 (file)
--- a/tests/Uploads/ImageTest.php
+++ b/tests/Uploads/ImageTest.php
@@ -383,6 +383,29 @@ class ImageTest extends TestCase
         }
     }
 
+    public function test_secure_images_not_tracked_in_session_history()
+    {
+        config()->set('filesystems.images', 'local_secure');
+        $this->asEditor();
+        $page = $this->entities->page();
+        $result = $this->files->uploadGalleryImageToPage($this, $page);
+        $expectedPath = storage_path($result['path']);
+        $this->assertFileExists($expectedPath);
+
+        $this->get('/books');
+        $this->assertEquals(url('/books'), session()->previousUrl());
+
+        $resp = $this->get($result['path']);
+        $resp->assertOk();
+        $resp->assertHeader('Content-Type', 'image/png');
+
+        $this->assertEquals(url('/books'), session()->previousUrl());
+
+        if (file_exists($expectedPath)) {
+            unlink($expectedPath);
+        }
+    }
+
     public function test_system_images_remain_public_with_local_secure_restricted()
     {
         config()->set('filesystems.images', 'local_secure_restricted');