Fixed XSS vulnerability in SVG image uploads [ch10476] (#7639)

* Added enshrined/svg-sanitize

* Added modular image resizing/SVG cleaning method

(This already exists in v5, so I mostly ported it forward and added the SVG sanitizer.)

* Use improved handleImages method to upload/resize/clean images

* Removed $old_image

This is handled in the ImageUpload request now
This commit is contained in:
snipe
2019-12-05 22:23:05 -08:00
committed by GitHub
parent 3f5840d390
commit e71e57f16a
14 changed files with 160 additions and 359 deletions
+2 -10
View File
@@ -87,16 +87,8 @@ class ConsumablesController extends Controller
$consumable->user_id = Auth::id();
if ($request->file('image')) {
$image = $request->file('image');
$file_name = str_random(25).".".$image->getClientOriginalExtension();
$path = public_path('uploads/consumables/'.$file_name);
Image::make($image->getRealPath())->resize(800, null, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->save($path);
$consumable->image = $file_name;
}
$consumable = $request->handleImages($consumable,600, public_path().'/uploads/components');
if ($consumable->save()) {
return redirect()->route('consumables.index')->with('success', trans('admin/consumables/message.create.success'));