prevent mime type tampering

Author: pxpm

src/BackpackElfinderController.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace Backpack\FileManager;
+
+use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\Log;
+
+class BackpackElfinderController extends \Barryvdh\Elfinder\ElfinderController
+{
+    public function showPopup($input_id)
+    {
+        $mimes = request('mimes');
+
+        if (! isset($mimes)) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
+        try {
+            $mimes = Crypt::decrypt(urldecode(request('mimes')));
+        } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
+        request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        if (! empty($mimes)) {
+            request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        } else {
+            request()->merge(['mimes' => '']);
+        }
+
+        return $this->app['view']
+            ->make($this->package.'::standalonepopup')
+            ->with($this->getViewVars())
+            ->with(compact('input_id'));
+    }
+}

src/FileManagerServiceProvider.php

@@ -4,6 +4,7 @@
 
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\ServiceProvider;
+use Barryvdh\Elfinder\ElfinderController;
 
 class FileManagerServiceProvider extends ServiceProvider
 {
@@ -27,6 +28,11 @@ public function boot()
         }
     }
 
+    public function register()
+    {
+        $this->app->bind(ElfinderController::class, BackpackElfinderController::class);
+    }
+
     /**
      * Console-specific booting.
      *