security: use signed middleware #197
Conversation
| Route::get('filament-excel/{path}', function (string $path) { | ||
| $path = Storage::disk('filament-excel')->path($path); | ||
| $filename = substr($path, 37); |
There was a problem hiding this comment.
@pxlrbt you broke file downloading functionality with this change. Initial $path variable contains UUID + filename. But Storage::disk('filament-excel')->path($path) contains absolute path for $path. It leads to The filename and the fallback cannot contain the "/" and "\" characters. exception.
For example, if initial $path contains d98006dc-0cf4-41b0-8381-1cb6c9521ba0-filename.xls, then Storage::disk('filament-excel')->path($path) contains /var/www/html/storage/app/filament-excel/d98006dc-0cf4-41b0-8381-1cb6c9521ba0-filename.xls. If you substr the first one, you'll get actual filename. If you substr the second one, you'll receive cel/d98006dc-0cf4-41b0-8381-1cb6c9521ba0-filename.xls which leads to an exceptions.
Fix this, please.
fix export download bug introduced by #197
fix: use signed URL
The current version might allow a path traversal attack with badly configured webservers through the route for the export file download, because the route was using
{path}and->where('path', '.*').Thanks to Kevin Pohl for making me aware of this issue.