BookStack Code Mirror - bookstack/blobdiff - app/Http/Controllers/Controller.php

diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php

index 13a86f6f7c78672ef99cdab9dedb566d1b148cec..01911808f47dd8981c55c5565f684eda0a80dd9d 100644 (file)

--- a/app/Http/Controllers/Controller.php

+++ b/app/Http/Controllers/Controller.php

@@ -12,6 +12,7 @@ use Illuminate\Foundation\Validation\ValidatesRequests;

use Illuminate\Http\JsonResponse;

use Illuminate\Http\Response;

use Illuminate\Routing\Controller as BaseController;

+use Symfony\Component\HttpFoundation\StreamedResponse;

abstract class Controller extends BaseController

{

@@ -54,6 +55,7 @@ abstract class Controller extends BaseController

protected function showPermissionError()

{

$message = request()->wantsJson() ? trans('errors.permissionJson') : trans('errors.permission');

+

throw new NotifyException($message, '/', 403);

}

@@ -114,7 +116,30 @@ abstract class Controller extends BaseController

{

return response()->make($content, 200, [

'Content-Type' => 'application/octet-stream',

- 'Content-Disposition' => 'attachment; filename="' . $fileName . '"',

+ 'Content-Disposition' => 'attachment; filename="' . str_replace('"', '', $fileName) . '"',

+ 'X-Content-Type-Options' => 'nosniff',

+ ]);

+ }

+

+ /**

+ * Create a response that forces a download, from a given stream of content.

+ */

+ protected function streamedDownloadResponse($stream, string $fileName): StreamedResponse

+ {

+ return response()->stream(function () use ($stream) {

+

+ // End & flush the output buffer, if we're in one, otherwise we still use memory.

+ // Output buffer may or may not exist depending on PHP `output_buffering` setting.

+ // Ignore in testing since output buffers are used to gather a response.

+ if (!empty(ob_get_status()) && !app()->runningUnitTests()) {

+ ob_end_clean();

+ }

+

+ fpassthru($stream);

+ fclose($stream);

+ }, 200, [

+ 'Content-Type' => 'application/octet-stream',

+ 'Content-Disposition' => 'attachment; filename="' . str_replace('"', '', $fileName) . '"',

'X-Content-Type-Options' => 'nosniff',

]);

}

@@ -129,7 +154,28 @@ abstract class Controller extends BaseController

return response()->make($content, 200, [

'Content-Type' => $mime,

- 'Content-Disposition' => 'inline; filename="' . $fileName . '"',

+ 'Content-Disposition' => 'inline; filename="' . str_replace('"', '', $fileName) . '"',

+ 'X-Content-Type-Options' => 'nosniff',

+ ]);

+ }

+

+ /**

+ * Create a file download response that provides the file with a content-type

+ * correct for the file, in a way so the browser can show the content in browser,

+ * for a given content stream.

+ */

+ protected function streamedInlineDownloadResponse($stream, string $fileName): StreamedResponse

+ {

+ $sniffContent = fread($stream, 1000);

+ $mime = (new WebSafeMimeSniffer())->sniff($sniffContent);

+

+ return response()->stream(function () use ($sniffContent, $stream) {

+ echo $sniffContent;

+ fpassthru($stream);

+ fclose($stream);

+ }, 200, [

+ 'Content-Type' => $mime,

+ 'Content-Disposition' => 'inline; filename="' . str_replace('"', '', $fileName) . '"',

'X-Content-Type-Options' => 'nosniff',

]);

}

@@ -173,6 +219,6 @@ abstract class Controller extends BaseController

*/

protected function getImageValidationRules(): array

{

- return ['image_extension', 'mimes:jpeg,png,gif,webp', 'max:' . (config('app.upload_limit') * 1000)];

+ return ['image_extension', 'mimes:jpeg,png,gif,webp,svg', 'max:' . (config('app.upload_limit') * 1000)];

}