mirror of
https://github.com/flarum/core.git
synced 2025-10-27 05:31:29 +01:00
Dw/huntr fix path traversal (#2931)
* Fix Huntr vuln with possible directory traversal * Use `active_url` in Laravel validator
This commit is contained in:
Daniël Klabbers
GitHub
@@ -21,8 +21,10 @@ use Flarum\User\UserValidator;
|
||||
use Illuminate\Contracts\Events\Dispatcher;
|
||||
use Illuminate\Support\Arr;
|
||||
use Illuminate\Support\Str;
|
||||
use Illuminate\Validation\Factory;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Intervention\Image\ImageManager;
|
||||
use InvalidArgumentException;
|
||||
|
||||
class RegisterUserHandler
|
||||
{
|
||||
@@ -36,12 +38,16 @@ class RegisterUserHandler
|
||||
/**
|
||||
* @var UserValidator
|
||||
*/
|
||||
protected $validator;
|
||||
protected $userValidator;
|
||||
|
||||
/**
|
||||
* @var AvatarUploader
|
||||
*/
|
||||
protected $avatarUploader;
|
||||
/**
|
||||
* @var Factory
|
||||
*/
|
||||
private $validator;
|
||||
|
||||
/**
|
||||
* @param Dispatcher $events
|
||||
@@ -49,12 +55,13 @@ class RegisterUserHandler
|
||||
* @param UserValidator $validator
|
||||
* @param AvatarUploader $avatarUploader
|
||||
*/
|
||||
public function __construct(Dispatcher $events, SettingsRepositoryInterface $settings, UserValidator $validator, AvatarUploader $avatarUploader)
|
||||
public function __construct(Dispatcher $events, SettingsRepositoryInterface $settings, UserValidator $userValidator, AvatarUploader $avatarUploader, Factory $validator)
|
||||
{
|
||||
$this->events = $events;
|
||||
$this->settings = $settings;
|
||||
$this->validator = $validator;
|
||||
$this->userValidator = $userValidator;
|
||||
$this->avatarUploader = $avatarUploader;
|
||||
$this->validator = $validator;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -101,7 +108,7 @@ class RegisterUserHandler
|
||||
new Saving($user, $actor, $data)
|
||||
);
|
||||
|
||||
$this->validator->assertValid(array_merge($user->getAttributes(), compact('password')));
|
||||
$this->userValidator->assertValid(array_merge($user->getAttributes(), compact('password')));
|
||||
|
||||
$user->save();
|
||||
|
||||
@@ -134,8 +141,25 @@ class RegisterUserHandler
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws InvalidArgumentException
|
||||
*/
|
||||
private function uploadAvatarFromUrl(User $user, string $url)
|
||||
{
|
||||
$urlValidator = $this->validator->make(compact('url'), [
|
||||
'url' => 'required|active_url',
|
||||
]);
|
||||
|
||||
if ($urlValidator->fails()) {
|
||||
throw new InvalidArgumentException('Provided avatar URL must be a valid URI.', 503);
|
||||
}
|
||||
|
||||
$scheme = parse_url($url, PHP_URL_SCHEME);
|
||||
|
||||
if (! in_array($scheme, ['http', 'https'])) {
|
||||
throw new InvalidArgumentException("Provided avatar URL must have scheme http or https. Scheme provided was $scheme.", 503);
|
||||
}
|
||||
|
||||
$image = (new ImageManager)->make($url);
|
||||
|
||||
$this->avatarUploader->upload($user, $image);
|
||||
|
||||
Reference in New Issue
Block a user