X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/a6633642232efd164d4708967ab59e498fbff896..refs/pull/3298/head:/app/Http/Controllers/Controller.php diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index 479d5ac15..d616974c6 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -2,20 +2,21 @@ namespace BookStack\Http\Controllers; +use BookStack\Exceptions\NotifyException; use BookStack\Facades\Activity; use BookStack\Interfaces\Loggable; -use BookStack\HasCreatorAndUpdater; use BookStack\Model; +use BookStack\Util\WebSafeMimeSniffer; use Illuminate\Foundation\Bus\DispatchesJobs; use Illuminate\Foundation\Validation\ValidatesRequests; -use Illuminate\Http\Exceptions\HttpResponseException; use Illuminate\Http\JsonResponse; use Illuminate\Http\Response; use Illuminate\Routing\Controller as BaseController; abstract class Controller extends BaseController { - use DispatchesJobs, ValidatesRequests; + use DispatchesJobs; + use ValidatesRequests; /** * Check if the current user is signed in. @@ -47,17 +48,14 @@ abstract class Controller extends BaseController /** * On a permission error redirect to home and display. * the error as a notification. + * + * @return never */ protected function showPermissionError() { - if (request()->wantsJson()) { - $response = response()->json(['error' => trans('errors.permissionJson')], 403); - } else { - $response = redirect('/'); - $this->showErrorNotification(trans('errors.permission')); - } + $message = request()->wantsJson() ? trans('errors.permissionJson') : trans('errors.permission'); - throw new HttpResponseException($response); + throw new NotifyException($message, '/', 403); } /** @@ -105,7 +103,7 @@ abstract class Controller extends BaseController /** * Send back a json error message. */ - protected function jsonError(string $messageText = "", int $statusCode = 500): JsonResponse + protected function jsonError(string $messageText = '', int $statusCode = 500): JsonResponse { return response()->json(['message' => $messageText, 'status' => 'error'], $statusCode); } @@ -116,8 +114,24 @@ abstract class Controller extends BaseController protected function downloadResponse(string $content, string $fileName): Response { return response()->make($content, 200, [ - 'Content-Type' => 'application/octet-stream', - 'Content-Disposition' => 'attachment; filename="' . $fileName . '"' + 'Content-Type' => 'application/octet-stream', + 'Content-Disposition' => 'attachment; filename="' . $fileName . '"', + 'X-Content-Type-Options' => 'nosniff', + ]); + } + + /** + * Create a file download response that provides the file with a content-type + * correct for the file, in a way so the browser can show the content in browser. + */ + protected function inlineDownloadResponse(string $content, string $fileName): Response + { + $mime = (new WebSafeMimeSniffer())->sniff($content); + + return response()->make($content, 200, [ + 'Content-Type' => $mime, + 'Content-Disposition' => 'inline; filename="' . $fileName . '"', + 'X-Content-Type-Options' => 'nosniff', ]); } @@ -147,7 +161,8 @@ abstract class Controller extends BaseController /** * Log an activity in the system. - * @param string|Loggable + * + * @param string|Loggable $detail */ protected function logActivity(string $type, $detail = ''): void { @@ -157,8 +172,8 @@ abstract class Controller extends BaseController /** * Get the validation rules for image files. */ - protected function getImageValidationRules(): string + protected function getImageValidationRules(): array { - return 'image_extension|no_double_extension|mimes:jpeg,png,gif,webp'; + return ['image_extension', 'mimes:jpeg,png,gif,webp', 'max:' . (config('app.upload_limit') * 1000)]; } }