mardi 28 novembre 2017

Laravel: Is using download dynamic file a security risk?

I want to offer users in the userarea to download all files from the storage/app/downloads/ folder. I thought about doing it like this in the route file:

Route::get('/home/downloads/{file}', 'Home\DownloadController@show');

and in the controller:

public function show($filename)
{
  $path = storage_path('app/downloads/' . $filename);

  if(!\File::exists($path)){
    return back();
  }

  return response()->download($path);
}

Now I could create a download link for example like this:

<a href="/home/downloads/logo.jpg">Download Logo</a>

I am just not sure if this is a safe way of doing it. Is it possible for users to download files outside the download folder? At least sneaky urls like

/home/downloads/../User.php 

would not be recognizes in route/web.php. But I am not sure if I am overseeing some other possible danger.



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire