Jacotheron
diff --git a/‎src/Controllers/CropController.php
Lines changed: 10 additions & 0 deletions b/‎src/Controllers/CropController.php
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/Controllers/DeleteController.php
Lines changed: 9 additions & 0 deletions b/‎src/Controllers/DeleteController.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/Controllers/DownloadController.php
Lines changed: 12 additions & 1 deletion b/‎src/Controllers/DownloadController.php
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Controllers/FolderController.php
Lines changed: 9 additions & 0 deletions b/‎src/Controllers/FolderController.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/Controllers/ItemsController.php
Lines changed: 9 additions & 0 deletions b/‎src/Controllers/ItemsController.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/Controllers/RedirectController.php
Lines changed: 11 additions & 0 deletions b/‎src/Controllers/RedirectController.php
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/Controllers/RenameController.php
Lines changed: 11 additions & 0 deletions b/‎src/Controllers/RenameController.php
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/Controllers/ResizeController.php
Lines changed: 9 additions & 0 deletions b/‎src/Controllers/ResizeController.php
Lines changed: 9 additions & 0 deletions
@@ -2,6 +2,7 @@
 
 namespace UniSharp\LaravelFilemanager\Controllers;
 
+use Illuminate\Support\Str;
 use Intervention\Image\Facades\Image;
 use UniSharp\LaravelFilemanager\Events\ImageIsCropping;
 use UniSharp\LaravelFilemanager\Events\ImageWasCropped;
@@ -29,6 +30,15 @@ public function getCropimage($overWrite = true)
     {
         $image_name = request('img');
         $image_path = $this->lfm->setName($image_name)->path('absolute');
+
+        if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+            $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+            $file_real_path = realpath($image_path);
+            if(!Str::startsWith($file_real_path, $disk_root)){
+                abort(404);
+            }
+        }
+
         $crop_path = $image_path;
 
         if (! $overWrite) {
 
@@ -3,6 +3,7 @@
 namespace UniSharp\LaravelFilemanager\Controllers;
 
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use UniSharp\LaravelFilemanager\Events\FileIsDeleting;
 use UniSharp\LaravelFilemanager\Events\FileWasDeleted;
 use UniSharp\LaravelFilemanager\Events\FolderIsDeleting;
@@ -36,6 +37,14 @@ public function getDelete()
                 abort(404);
             }
 
+            if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+                $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+                $file_real_path = realpath($file->path('absolute'));
+                if(!Str::startsWith($file_real_path, $disk_root)){
+                    abort(404);
+                }
+            }
+
             $file_to_delete = $this->lfm->pretty($name_to_delete);
             $file_path = $file_to_delete->path('absolute');
 
 
@@ -3,6 +3,7 @@
 namespace UniSharp\LaravelFilemanager\Controllers;
 
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 
 class DownloadController extends LfmController
 {
@@ -14,6 +15,16 @@ public function getDownload()
             abort(404);
         }
 
-        return response()->download($file->path('absolute'));
+        $file_absolute = $file->path('absolute');
+
+        if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+            $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+            $file_real_path = realpath($file_absolute);
+            if(!Str::startsWith($file_real_path, $disk_root)){
+                abort(404);
+            }
+        }
+
+        return response()->download($file_absolute);
     }
 }
@@ -2,6 +2,7 @@
 
 namespace UniSharp\LaravelFilemanager\Controllers;
 
+use Illuminate\Support\Str;
 use UniSharp\LaravelFilemanager\Events\FolderIsCreating;
 use UniSharp\LaravelFilemanager\Events\FolderWasCreated;
 
@@ -44,6 +45,14 @@ public function getAddfolder()
 
         $new_path = $this->lfm->setName($folder_name)->path('absolute');
 
+        if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+            $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+            $file_real_path = realpath($new_path);
+            if(!Str::startsWith($file_real_path, $disk_root)){
+                abort(404);
+            }
+        }
+
         event(new FolderIsCreating($new_path));
 
         try {
 
@@ -3,6 +3,7 @@
 namespace UniSharp\LaravelFilemanager\Controllers;
 
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use UniSharp\LaravelFilemanager\Events\FileIsMoving;
 use UniSharp\LaravelFilemanager\Events\FileWasMoving;
 use UniSharp\LaravelFilemanager\Events\FolderIsMoving;
@@ -73,6 +74,14 @@ public function domove()
                 abort(404);
             }
 
+            if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+                $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+                $file_real_path = realpath($file->path('absolute'));
+                if(!Str::startsWith($file_real_path, $disk_root)){
+                    abort(404);
+                }
+            }
+
             $old_path = $old_file->path();
 
             if ($old_file->hasThumb()) {
 
@@ -3,6 +3,7 @@
 namespace UniSharp\LaravelFilemanager\Controllers;
 
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 
 class RedirectController extends LfmController
 {
@@ -14,6 +15,16 @@ public function showFile($file_path)
             abort(404);
         }
 
+        if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+            $file = $this->lfm->setName($file_path);
+            $file_absolute = $file->path('absolute');
+            $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+            $file_real_path = realpath($file_absolute);
+            if(!Str::startsWith($file_real_path, $disk_root)){
+                abort(404);
+            }
+        }
+
         return response($storage->get($file_path))
             ->header('Content-Type', $storage->mimeType($file_path));
     }
 
@@ -3,6 +3,7 @@
 namespace UniSharp\LaravelFilemanager\Controllers;
 
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use UniSharp\LaravelFilemanager\Events\FolderIsRenaming;
 use UniSharp\LaravelFilemanager\Events\FolderWasRenamed;
 use UniSharp\LaravelFilemanager\Events\FileIsRenaming;
@@ -23,6 +24,16 @@ public function getRename()
             abort(404);
         }
 
+        $file_absolute = $file->path('absolute');
+
+        if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+            $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+            $file_real_path = realpath($file_absolute);
+            if(!Str::startsWith($file_real_path, $disk_root)){
+                abort(404);
+            }
+        }
+
         $old_file = $this->lfm->pretty($old_name);
 
         $is_directory = $file->isDirectory();
 
@@ -2,6 +2,7 @@
 
 namespace UniSharp\LaravelFilemanager\Controllers;
 
+use Illuminate\Support\Str;
 use Intervention\Image\Facades\Image;
 use UniSharp\LaravelFilemanager\Events\ImageIsResizing;
 use UniSharp\LaravelFilemanager\Even
9477
ts\ImageWasResized;
@@ -56,6 +57,14 @@ public function performResize()
     {
         $image_path = $this->lfm->setName(request('img'))->path('absolute');
 
+        if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){
+            $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));
+            $file_real_path = realpath($image_path);
+            if(!Str::startsWith($file_real_path, $disk_root)){
+                abort(404);
+            }
+        }
+
         event(new ImageIsResizing($image_path));
         Image::make($image_path)->resize(request('dataWidth'), request('dataHeight'))->save();
         event(new ImageWasResized($image_path));
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`namespace UniSharp\LaravelFilemanager\Controllers;`
`4`	`4`
`5`	`5`	`use Illuminate\Support\Facades\Storage;`
	`6`	`+use Illuminate\Support\Str;`
`6`	`7`
`7`	`8`	`class DownloadController extends LfmController`
`8`	`9`	`{`
`@@ -14,6 +15,16 @@ public function getDownload()`
`14`	`15`	`abort(404);`
`15`	`16`	`}`
`16`	`17`
`17`		`- return response()->download($file->path('absolute'));`
	`18`	`+ $file_absolute = $file->path('absolute');`
	`19`	`+`
	`20`	`+ if(config('filesystems.disks.'.$this->helper->config('disk').'.driver') === 'local'){`
	`21`	`+ $disk_root = realpath(config('filesystems.disks.'.$this->helper->config('disk').'.root'));`
	`22`	`+ $file_real_path = realpath($file_absolute);`
	`23`	`+ if(!Str::startsWith($file_real_path, $disk_root)){`
	`24`	`+ abort(404);`
	`25`	`+ }`
	`26`	`+ }`
	`27`	`+`
	`28`	`+ return response()->download($file_absolute);`
`18`	`29`	`}`
`19`	`30`	`}`