Merge pull request #60 from Laravel-Backpack/prevent-mimes-tampering

prevent mime types tampering
Laravel-Backpack · Nov 18, 2024 · 25b5c97 · 25b5c97
2 parents d7d729d + 3275e4b
commit 25b5c97
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/BackpackElfinderController.php b/src/BackpackElfinderController.php
@@ -11,14 +11,23 @@ public function showPopup($input_id)
     {
         $mimes = request('mimes');
 
+        if (! isset($mimes)) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
         try {
             $mimes = Crypt::decrypt(urldecode(request('mimes')));
         } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
             Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
             abort(403, 'Unauthorized action.');
         }
 
-        request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        if (! empty($mimes)) {
+            request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        } else {
+            request()->merge(['mimes' => '']);
+        }
 
         return $this->app['view']
             ->make($this->package.'::standalonepopup')