Skip to content

Commit

Permalink
disallow file:
Browse files Browse the repository at this point in the history
freekmurze committed Dec 30, 2024

Verified

This commit was signed with the committer’s verified signature. The key has expired.
snoyberg Michael Snoyman
1 parent 445f6c8 commit bcfd608
Showing 1 changed file with 14 additions and 11 deletions.
25 changes: 14 additions & 11 deletions src/Browsershot.php
Original file line number Diff line number Diff line change
@@ -68,6 +68,15 @@ class Browsershot

protected ImageManipulations $imageManipulations;

protected array $unsafeProtocols = [
'file:,',
'file:/',
'file://',
'file:\\',
'file:\\\\',
'view-source',
];

public static function url(string $url): static
{
return (new static)->setUrl($url);
@@ -259,15 +268,7 @@ public function setUrl(string $url): static
{
$url = trim($url);

$unsupportedProtocols = [
'file://',
'file:/',
'file:\\',
'file:\\\\',
'view-source',
];

foreach ($unsupportedProtocols as $unsupportedProtocol) {
foreach ($this->unsafeProtocols as $unsupportedProtocol) {
if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
throw FileUrlNotAllowed::make();
}
@@ -301,8 +302,10 @@ public function setProxyServer(string $proxyServer): static

public function setHtml(string $html): static
{
if (str_contains(strtolower($html), 'file://') || str_contains(strtolower($html), 'file:/')) {
throw HtmlIsNotAllowedToContainFile::make();
foreach ($this->unsafeProtocols as $protocol) {
if (str_contains(strtolower($html), $protocol)) {
throw HtmlIsNotAllowedToContainFile::make();
}
}

$this->html = $html;

0 comments on commit bcfd608

Please sign in to comment.