Add encrypt_mimes config option (#88)

pxpm · StyleCIBot · web-flow · commit 261971c890a9 · 2026-03-26T13:03:11.000Z
* add option to disabled mimes encryption

* Apply fixes from StyleCI

* bc

---------

Co-authored-by: StyleCI Bot &lt;bot@styleci.io&gt;
diff --git a/config/elfinder.php b/config/elfinder.php
@@ -90,4 +90,17 @@
     'root_options' => [
 
     ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Encrypt MIME Types
+    |--------------------------------------------------------------------------
+    |
+    | When enabled, MIME types configured on browse/browse_multiple fields are
+    | encrypted before being passed to the frontend, preventing CASUAL URL
+    | tampering. Note that this is a UI-level convenience only — NOT A SECURITY MEASURE.
+    | Determined users can always bypass client-side restrictions.
+    |
+    */
+    'encrypt_mimes' => true,
 ];
diff --git a/resources/views/fields/browse.blade.php b/resources/views/fields/browse.blade.php
@@ -1,7 +1,10 @@
 {{-- browse server input --}}
 @php
 $field['attributes']['data-elfinder-trigger-url'] = $field['attributes']['data-elfinder-trigger-url'] ?? url(config('elfinder.route.prefix').'/popup/'.$field['name']);
-$field['attributes']['data-elfinder-trigger-url'] .= '?mimes='.urlencode(Crypt::encrypt($field['mime_types'] ?? ''));
+$mimeTypes = $field['mime_types'] ?? '';
+$field['attributes']['data-elfinder-trigger-url'] .= '?mimes='.urlencode(
+    config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES)
+);
 @endphp
 @include('crud::fields.inc.wrapper_start')
     <label>{!! $field['label'] !!}</label>
diff --git a/resources/views/fields/browse_multiple.blade.php b/resources/views/fields/browse_multiple.blade.php
@@ -11,7 +11,10 @@
 $field['wrapper']['data-init-function'] = $field['wrapper']['data-init-function'] ?? 'bpFieldInitBrowseMultipleElement';
 $field['wrapper']['data-elfinder-trigger-url'] = $field['wrapper']['data-elfinder-trigger-url'] ?? url(config('elfinder.route.prefix').'/popup/'.$field['name'].'?multiple=1');
 
-$field['wrapper']['data-elfinder-trigger-url'] .= '&mimes='.urlencode(Crypt::encrypt($field['mime_types'] ?? ''));
+$mimeTypes = $field['mime_types'] ?? '';
+$field['wrapper']['data-elfinder-trigger-url'] .= '&mimes='.urlencode(
+    config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES)
+);
 
 if ($multiple) {
     $field['wrapper']['data-multiple'] = "true";
diff --git a/resources/views/standalonepopup.blade.php b/resources/views/standalonepopup.blade.php
@@ -30,6 +30,7 @@
 
         <script type="text/javascript">
             $(document).ready(function () {
+
                 let elfinderConfig = {
                     cssAutoLoad : false,
                     speed: 100,
@@ -46,7 +47,7 @@
                     url: '{{ route("elfinder.connector") }}',  // connector URL
                     soundPath: '{{ Basset::getUrl(base_path("vendor/studio-42/elfinder/sounds")) }}',
                     resizable: false,
-                    onlyMimes: @json(urldecode(json_decode(request('mimes'))), JSON_UNESCAPED_SLASHES),
+                    onlyMimes: @json(json_decode(urldecode(request('mimes'))), JSON_UNESCAPED_SLASHES),
                     commandsOptions: {
                         getfile: {
                             multiple: {{ request('multiple') ? 'true' : 'false' }},
@@ -66,8 +67,10 @@
                     },                    
                 };
                 let elfinderOptions = window.parent.elfinderOptions ?? {};
+                @if(config('elfinder.encrypt_mimes', true))
+                    delete elfinderOptions.onlyMimes;
+                @endif
                 var elf = $('#elfinder').elfinder({...elfinderConfig, ...elfinderOptions}).elfinder('instance');
-
                 document.getElementById('elfinder').style.opacity = 1;   
             });          
         </script>
diff --git a/src/BackpackElfinderController.php b/src/BackpackElfinderController.php
@@ -12,16 +12,20 @@ public function showPopup($input_id)
     {
         $mimes = request('mimes');
 
-        if (! isset($mimes)) {
-            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
-            abort(403, 'Unauthorized action.');
-        }
-
-        try {
-            $mimes = Crypt::decrypt(urldecode(request('mimes')));
-        } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
-            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
-            abort(403, 'Unauthorized action.');
+        if (config('elfinder.encrypt_mimes', true)) {
+            if (! isset($mimes)) {
+                Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+                abort(403, 'Unauthorized action.');
+            }
+
+            try {
+                $mimes = Crypt::decrypt(urldecode($mimes));
+            } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
+                Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+                abort(403, 'Unauthorized action.');
+            }
+        } else {
+            $mimes = $mimes ? json_decode(urldecode($mimes), true) : '';
         }
 
         if (! empty($mimes)) {
