Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php namespace Tests\Uploads; use BookStack\Entities\Repos\PageRepo; use BookStack\Uploa..
Decoded Output download
<?php
namespace Tests\Uploads; use BookStack\Entities\Repos\PageRepo; use BookStack\Uploads\Image; use BookStack\Uploads\ImageService; use Illuminate\Support\Str; use Tests\TestCase; class ImageTest extends TestCase { public function test_image_upload() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $relPath = $imgDetails["path"]; $this->assertTrue(file_exists(public_path($relPath)), "Uploaded image found at path: " . public_path($relPath)); $this->files->deleteAtRelativePath($relPath); $this->assertDatabaseHas("images", array("url" => $this->baseUrl . $relPath, "type" => "gallery", "uploaded_to" => $page->id, "path" => $relPath, "created_by" => $admin->id, "updated_by" => $admin->id, "name" => $imgDetails["name"])); } public function test_image_display_thumbnail_generation_does_not_increase_image_size() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $originalFile = $this->files->testFilePath("compressed.png"); $originalFileSize = filesize($originalFile); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page, "compressed.png"); $relPath = $imgDetails["path"]; $this->assertTrue(file_exists(public_path($relPath)), "Uploaded image found at path: " . public_path($relPath)); $displayImage = $imgDetails["response"]->thumbs->display; $displayImageRelPath = implode("/", array_slice(explode("/", $displayImage), 3)); $displayImagePath = public_path($displayImageRelPath); $displayFileSize = filesize($displayImagePath); $this->files->deleteAtRelativePath($relPath); $this->files->deleteAtRelativePath($displayImageRelPath); $this->assertEquals($originalFileSize, $displayFileSize, "Display thumbnail generation should not increase image size"); } public function test_image_display_thumbnail_generation_for_apng_images_uses_original_file() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page, "animated.png"); $this->files->deleteAtRelativePath($imgDetails["path"]); $this->assertStringContainsString("thumbs-", $imgDetails["response"]->thumbs->gallery); $this->assertStringNotContainsString("thumbs-", $imgDetails["response"]->thumbs->display); } public function test_image_edit() { $editor = $this->users->editor(); $this->actingAs($editor); $imgDetails = $this->files->uploadGalleryImageToPage($this, $this->entities->page()); $image = Image::query()->first(); $newName = Str::random(); $update = $this->put("/images/" . $image->id, array("name" => $newName)); $update->assertSuccessful(); $update->assertSee($newName); $this->files->deleteAtRelativePath($imgDetails["path"]); $this->assertDatabaseHas("images", array("type" => "gallery", "name" => $newName)); } public function test_image_file_update() { $page = $this->entities->page(); $this->asEditor(); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $relPath = $imgDetails["path"]; $newUpload = $this->files->uploadedImage("updated-image.png", "compressed.png"); $this->assertFileEquals($this->files->testFilePath("test-image.png"), public_path($relPath)); $imageId = $imgDetails["response"]->id; $image = Image::findOrFail($imageId); $image->updated_at = now()->subMonth(); $image->save(); $this->call("PUT", "/images/{$imageId}/file", array(), array(), array("file" => $newUpload))->assertOk(); $this->assertFileEquals($this->files->testFilePath("compressed.png"), public_path($relPath)); $image->refresh(); $this->assertTrue($image->updated_at->gt(now()->subMinute())); $this->files->deleteAtRelativePath($relPath); } public function test_image_file_update_does_not_allow_change_in_image_extension() { $page = $this->entities->page(); $this->asEditor(); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $relPath = $imgDetails["path"]; $newUpload = $this->files->uploadedImage("updated-image.jpg", "compressed.png"); $imageId = $imgDetails["response"]->id; $this->call("PUT", "/images/{$imageId}/file", array(), array(), array("file" => $newUpload))->assertJson(array("message" => "Image file replacements must be of the same type", "status" => "error")); $this->files->deleteAtRelativePath($relPath); } public function test_gallery_get_list_format() { $this->asEditor(); $imgDetails = $this->files->uploadGalleryImageToPage($this, $this->entities->page()); $image = Image::query()->first(); $pageId = $imgDetails["page"]->id; $firstPageRequest = $this->get("/images/gallery?page=1&uploaded_to={$pageId}"); $firstPageRequest->assertSuccessful(); $this->withHtml($firstPageRequest)->assertElementExists("div"); $firstPageRequest->assertSuccessful()->assertSeeText($image->name); $secondPageRequest = $this->get("/images/gallery?page=2&uploaded_to={$pageId}"); $secondPageRequest->assertSuccessful(); $this->withHtml($secondPageRequest)->assertElementNotExists("div"); $namePartial = substr($imgDetails["name"], 0, 3); $searchHitRequest = $this->get("/images/gallery?page=1&uploaded_to={$pageId}&search={$namePartial}"); $searchHitRequest->assertSuccessful()->assertSee($imgDetails["name"]); $namePartial = Str::random(16); $searchFailRequest = $this->get("/images/gallery?page=1&uploaded_to={$pageId}&search={$namePartial}"); $searchFailRequest->assertSuccessful()->assertDontSee($imgDetails["name"]); $searchFailRequest->assertSuccessful(); $this->withHtml($searchFailRequest)->assertElementNotExists("div"); } public function test_image_gallery_lists_for_draft_page() { $this->actingAs($this->users->editor()); $draft = $this->entities->newDraftPage(); $this->files->uploadGalleryImageToPage($this, $draft); $image = Image::query()->where("uploaded_to", "=", $draft->id)->firstOrFail(); $resp = $this->get("/images/gallery?page=1&uploaded_to={$draft->id}"); $resp->assertSee($image->getThumb(150, 150)); } public function test_image_usage() { $page = $this->entities->page(); $editor = $this->users->editor(); $this->actingAs($editor); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $image = Image::query()->first(); $page->html = "<img src="" . $image->url . "">"; $page->save(); $usage = $this->get("/images/edit/" . $image->id . "?delete=true"); $usage->assertSuccessful(); $usage->assertSeeText($page->name); $usage->assertSee($page->getUrl()); $this->files->deleteAtRelativePath($imgDetails["path"]); } public function test_php_files_cannot_be_uploaded() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $fileName = "bad.php"; $relPath = $this->files->expectedImagePath("gallery", $fileName); $this->files->deleteAtRelativePath($relPath); $file = $this->files->imageFromBase64File("bad-php.base64", $fileName); $upload = $this->withHeader("Content-Type", "image/jpeg")->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $file), array()); $upload->assertStatus(500); $this->assertStringContainsString("The file must have a valid & supported image extension", $upload->json("message")); $this->assertFalse(file_exists(public_path($relPath)), "Uploaded php file was uploaded but should have been stopped"); $this->assertDatabaseMissing("images", array("type" => "gallery", "name" => $fileName)); } public function test_php_like_files_cannot_be_uploaded() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $fileName = "bad.phtml"; $relPath = $this->files->expectedImagePath("gallery", $fileName); $this->files->deleteAtRelativePath($relPath); $file = $this->files->imageFromBase64File("bad-phtml.base64", $fileName); $upload = $this->withHeader("Content-Type", "image/jpeg")->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $file), array()); $upload->assertStatus(500); $this->assertStringContainsString("The file must have a valid & supported image extension", $upload->json("message")); $this->assertFalse(file_exists(public_path($relPath)), "Uploaded php file was uploaded but should have been stopped"); } public function test_files_with_double_extensions_will_get_sanitized() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $fileName = "bad.phtml.png"; $relPath = $this->files->expectedImagePath("gallery", $fileName); $expectedRelPath = dirname($relPath) . "/bad-phtml.png"; $this->files->deleteAtRelativePath($expectedRelPath); $file = $this->files->imageFromBase64File("bad-phtml-png.base64", $fileName); $upload = $this->withHeader("Content-Type", "image/png")->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $file), array()); $upload->assertStatus(200); $lastImage = Image::query()->latest("id")->first(); $this->assertEquals("bad.phtml.png", $lastImage->name); $this->assertEquals("bad-phtml.png", basename($lastImage->path)); $this->assertFileDoesNotExist(public_path($relPath), "Uploaded image file name was not stripped of dots"); $this->assertFileExists(public_path($expectedRelPath)); $this->files->deleteAtRelativePath($lastImage->path); } public function test_url_entities_removed_from_filenames() { $this->asEditor(); $badNames = array("bad-char-#-image.png", "bad-char-?-image.png", "?#.png", "?.png", "#.png"); foreach ($badNames as $name) { $galleryFile = $this->files->uploadedImage($name); $page = $this->entities->page(); $badPath = $this->files->expectedImagePath("gallery", $name); $this->files->deleteAtRelativePath($badPath); $upload = $this->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $galleryFile), array()); $upload->assertStatus(200); $lastImage = Image::query()->latest("id")->first(); $newFileName = explode(".", basename($lastImage->path))[0]; $this->assertEquals($lastImage->name, $name); $this->assertFalse(strpos($lastImage->path, $name), "Path contains original image name"); $this->assertFalse(file_exists(public_path($badPath)), "Uploaded image file name was not stripped of url entities"); $this->assertTrue(strlen($newFileName) > 0, "File name was reduced to nothing"); $this->files->deleteAtRelativePath($lastImage->path); } } public function test_secure_images_uploads_to_correct_place() { config()->set("filesystems.images", "local_secure"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("my-secure-test-upload.png"); $page = $this->entities->page(); $expectedPath = storage_path("uploads/images/gallery/" . date("Y-m") . "/my-secure-test-upload.png"); $upload = $this->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $galleryFile), array()); $upload->assertStatus(200); $this->assertTrue(file_exists($expectedPath), "Uploaded image not found at path: " . $expectedPath); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_image_paths_traversal_causes_500() { config()->set("filesystems.images", "local_secure"); $this->asEditor(); $resp = $this->get("/uploads/images/../../logs/laravel.log"); $resp->assertStatus(500); } public function test_secure_image_paths_traversal_on_non_secure_images_causes_404() { config()->set("filesystems.images", "local"); $this->asEditor(); $resp = $this->get("/uploads/images/../../logs/laravel.log"); $resp->assertStatus(404); } public function test_secure_image_paths_dont_serve_non_images() { config()->set("filesystems.images", "local_secure"); $this->asEditor(); $testFilePath = storage_path("/uploads/images/testing.txt"); file_put_contents($testFilePath, "hello from test_secure_image_paths_dont_serve_non_images"); $resp = $this->get("/uploads/images/testing.txt"); $resp->assertStatus(404); } public function test_secure_images_included_in_exports() { config()->set("filesystems.images", "local_secure"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("my-secure-test-upload.png"); $page = $this->entities->page(); $expectedPath = storage_path("uploads/images/gallery/" . date("Y-m") . "/my-secure-test-upload.png"); $upload = $this->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $galleryFile), array()); $imageUrl = json_decode($upload->getContent(), true)["url"]; $page->html .= "<img src="{$imageUrl}">"; $page->save(); $upload->assertStatus(200); $encodedImageContent = base64_encode(file_get_contents($expectedPath)); $export = $this->get($page->getUrl("/export/html")); $this->assertTrue(strpos($export->getContent(), $encodedImageContent) !== false, "Uploaded image in export content"); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_system_images_remain_public_with_local_secure() { config()->set("filesystems.images", "local_secure"); $this->asAdmin(); $galleryFile = $this->files->uploadedImage("my-system-test-upload.png"); $expectedPath = public_path("uploads/images/system/" . date("Y-m") . "/my-system-test-upload.png"); $upload = $this->call("POST", "/settings/customization", array(), array(), array("app_logo" => $galleryFile), array()); $upload->assertRedirect("/settings/customization"); $this->assertTrue(file_exists($expectedPath), "Uploaded image not found at path: " . $expectedPath); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_images_not_tracked_in_session_history() { config()->set("filesystems.images", "local_secure"); $this->asEditor(); $page = $this->entities->page(); $result = $this->files->uploadGalleryImageToPage($this, $page); $expectedPath = storage_path($result["path"]); $this->assertFileExists($expectedPath); $this->get("/books"); $this->assertEquals(url("/books"), session()->previousUrl()); $resp = $this->get($result["path"]); $resp->assertOk(); $resp->assertHeader("Content-Type", "image/png"); $this->assertEquals(url("/books"), session()->previousUrl()); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_system_images_remain_public_with_local_secure_restricted() { config()->set("filesystems.images", "local_secure_restricted"); $this->asAdmin(); $galleryFile = $this->files->uploadedImage("my-system-test-restricted-upload.png"); $expectedPath = public_path("uploads/images/system/" . date("Y-m") . "/my-system-test-restricted-upload.png"); $upload = $this->call("POST", "/settings/customization", array(), array(), array("app_logo" => $galleryFile), array()); $upload->assertRedirect("/settings/customization"); $this->assertTrue(file_exists($expectedPath), "Uploaded image not found at path: " . $expectedPath); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_restricted_images_inaccessible_without_relation_permission() { config()->set("filesystems.images", "local_secure_restricted"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("my-secure-restricted-test-upload.png"); $page = $this->entities->page(); $upload = $this->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $galleryFile), array()); $upload->assertStatus(200); $expectedUrl = url("uploads/images/gallery/" . date("Y-m") . "/my-secure-restricted-test-upload.png"); $expectedPath = storage_path("uploads/images/gallery/" . date("Y-m") . "/my-secure-restricted-test-upload.png"); $this->get($expectedUrl)->assertOk(); $this->permissions->setEntityPermissions($page, array(), array()); $resp = $this->get($expectedUrl); $resp->assertNotFound(); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_thumbnail_path_handled_by_secure_restricted_images() { config()->set("filesystems.images", "local_secure_restricted"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("my-secure-restricted-thumb-test-test.png"); $page = $this->entities->page(); $upload = $this->call("POST", "/images/gallery", array("uploaded_to" => $page->id), array(), array("file" => $galleryFile), array()); $upload->assertStatus(200); $expectedUrl = url("uploads/images/gallery/" . date("Y-m") . "/thumbs-150-150/my-secure-restricted-thumb-test-test.png"); $expectedPath = storage_path("uploads/images/gallery/" . date("Y-m") . "/my-secure-restricted-thumb-test-test.png"); $this->get($expectedUrl)->assertOk(); $this->permissions->setEntityPermissions($page, array(), array()); $resp = $this->get($expectedUrl); $resp->assertNotFound(); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_restricted_image_access_controlled_in_exports() { config()->set("filesystems.images", "local_secure_restricted"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("my-secure-restricted-export-test.png"); $pageA = $this->entities->page(); $pageB = $this->entities->page(); $expectedPath = storage_path("uploads/images/gallery/" . date("Y-m") . "/my-secure-restricted-export-test.png"); $upload = $this->asEditor()->call("POST", "/images/gallery", array("uploaded_to" => $pageA->id), array(), array("file" => $galleryFile), array()); $upload->assertOk(); $imageUrl = json_decode($upload->getContent(), true)["url"]; $pageB->html .= "<img src="{$imageUrl}">"; $pageB->save(); $encodedImageContent = base64_encode(file_get_contents($expectedPath)); $export = $this->get($pageB->getUrl("/export/html")); $this->assertStringContainsString($encodedImageContent, $export->getContent()); $this->permissions->setEntityPermissions($pageA, array(), array()); $export = $this->get($pageB->getUrl("/export/html")); $this->assertStringNotContainsString($encodedImageContent, $export->getContent()); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_image_delete() { $page = $this->entities->page(); $this->asAdmin(); $imageName = "first-image.png"; $relPath = $this->files->expectedImagePath("gallery", $imageName); $this->files->deleteAtRelativePath($relPath); $this->files->uploadGalleryImage($this, $imageName, $page->id); $image = Image::first(); $delete = $this->delete("/images/" . $image->id); $delete->assertStatus(200); $this->assertDatabaseMissing("images", array("url" => $this->baseUrl . $relPath, "type" => "gallery")); $this->assertFalse(file_exists(public_path($relPath)), "Uploaded image has not been deleted as expected"); } public function test_image_delete_does_not_delete_similar_images() { $page = $this->entities->page(); $this->asAdmin(); $imageName = "first-image.png"; $relPath = $this->files->expectedImagePath("gallery", $imageName); $this->files->deleteAtRelativePath($relPath); $this->files->uploadGalleryImage($this, $imageName, $page->id); $this->files->uploadGalleryImage($this, $imageName, $page->id); $this->files->uploadGalleryImage($this, $imageName, $page->id); $image = Image::first(); $folder = public_path(dirname($relPath)); $imageCount = count(glob($folder . "/*")); $delete = $this->delete("/images/" . $image->id); $delete->assertStatus(200); $newCount = count(glob($folder . "/*")); $this->assertEquals($imageCount - 1, $newCount, "More files than expected have been deleted"); $this->assertFalse(file_exists(public_path($relPath)), "Uploaded image has not been deleted as expected"); } public function test_image_manager_delete_button_only_shows_with_permission() { $page = $this->entities->page(); $this->asAdmin(); $imageName = "first-image.png"; $relPath = $this->files->expectedImagePath("gallery", $imageName); $this->files->deleteAtRelativePath($relPath); $viewer = $this->users->viewer(); $this->files->uploadGalleryImage($this, $imageName, $page->id); $image = Image::first(); $resp = $this->get("/images/edit/{$image->id}"); $this->withHtml($resp)->assertElementExists("button#image-manager-delete"); $resp = $this->actingAs($viewer)->get("/images/edit/{$image->id}"); $this->withHtml($resp)->assertElementNotExists("button#image-manager-delete"); $this->permissions->grantUserRolePermissions($viewer, array("image-delete-all")); $resp = $this->actingAs($viewer)->get("/images/edit/{$image->id}"); $this->withHtml($resp)->assertElementExists("button#image-manager-delete"); $this->files->deleteAtRelativePath($relPath); } public function test_image_manager_regen_thumbnails() { $this->asEditor(); $imageName = "first-image.png"; $relPath = $this->files->expectedImagePath("gallery", $imageName); $this->files->deleteAtRelativePath($relPath); $this->files->uploadGalleryImage($this, $imageName, $this->entities->page()->id); $image = Image::first(); $resp = $this->get("/images/edit/{$image->id}"); $this->withHtml($resp)->assertElementExists("button#image-manager-rebuild-thumbs"); $expectedThumbPath = dirname($relPath) . "/scaled-1680-/" . basename($relPath); $this->files->deleteAtRelativePath($expectedThumbPath); $this->assertFileDoesNotExist($this->files->relativeToFullPath($expectedThumbPath)); $resp = $this->put("/images/{$image->id}/rebuild-thumbnails"); $resp->assertOk(); $this->assertFileExists($this->files->relativeToFullPath($expectedThumbPath)); $this->files->deleteAtRelativePath($relPath); } protected function getTestProfileImage() { $imageName = "profile.png"; $relPath = $this->files->expectedImagePath("user", $imageName); $this->files->deleteAtRelativePath($relPath); return $this->files->uploadedImage($imageName); } public function test_user_image_upload() { $editor = $this->users->editor(); $admin = $this->users->admin(); $this->actingAs($admin); $file = $this->getTestProfileImage(); $this->call("PUT", "/settings/users/" . $editor->id, array(), array(), array("profile_image" => $file), array()); $this->assertDatabaseHas("images", array("type" => "user", "uploaded_to" => $editor->id, "created_by" => $admin->id)); } public function test_user_images_deleted_on_user_deletion() { $editor = $this->users->editor(); $this->actingAs($editor); $file = $this->getTestProfileImage(); $this->call("PUT", "/my-account/profile", array(), array(), array("profile_image" => $file), array()); $profileImages = Image::where("type", "=", "user")->where("created_by", "=", $editor->id)->get(); $this->assertTrue($profileImages->count() === 1, "Found profile images does not match upload count"); $imagePath = public_path($profileImages->first()->path); $this->assertTrue(file_exists($imagePath)); $userDelete = $this->asAdmin()->delete($editor->getEditUrl()); $userDelete->assertStatus(302); $this->assertDatabaseMissing("images", array("type" => "user", "created_by" => $editor->id)); $this->assertDatabaseMissing("images", array("type" => "user", "uploaded_to" => $editor->id)); $this->assertFalse(file_exists($imagePath)); } public function test_deleted_unused_images() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $imageName = "unused-image.png"; $relPath = $this->files->expectedImagePath("gallery", $imageName); $this->files->deleteAtRelativePath($relPath); $upload = $this->files->uploadGalleryImage($this, $imageName, $page->id); $upload->assertStatus(200); $image = Image::where("type", "=", "gallery")->first(); $pageRepo = app(PageRepo::class); $pageRepo->update($page, array("name" => $page->name, "html" => $page->html . "<img src="{$image->url}">", "summary" => '')); $imageService = app(ImageService::class); $toDelete = $imageService->deleteUnusedImages(true, true); $this->assertCount(0, $toDelete); $pageRepo->update($page, array("name" => $page->name, "html" => "<p>Hello</p>", "summary" => '')); $imageService = app(ImageService::class); $toDelete = $imageService->deleteUnusedImages(true, true); $this->assertCount(0, $toDelete); $toDelete = $imageService->deleteUnusedImages(false, true); $this->assertCount(1, $toDelete); $page->revisions()->delete(); $toDelete = $imageService->deleteUnusedImages(true, true); $this->assertCount(1, $toDelete); $absPath = public_path($relPath); $this->assertTrue(file_exists($absPath), "Existing uploaded file at path {$absPath} exists"); $toDelete = $imageService->deleteUnusedImages(true, false); $this->assertCount(1, $toDelete); $this->assertFalse(file_exists($absPath)); $this->files->deleteAtRelativePath($relPath); } } ?>
Did this file decode correctly?
Original Code
<?php
namespace Tests\Uploads; use BookStack\Entities\Repos\PageRepo; use BookStack\Uploads\Image; use BookStack\Uploads\ImageService; use Illuminate\Support\Str; use Tests\TestCase; class ImageTest extends TestCase { public function test_image_upload() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $relPath = $imgDetails["\x70\x61\x74\x68"]; $this->assertTrue(file_exists(public_path($relPath)), "\125\x70\154\x6f\141\x64\x65\x64\40\151\155\x61\x67\145\40\146\157\x75\156\144\x20\141\x74\40\160\141\164\x68\72\40" . public_path($relPath)); $this->files->deleteAtRelativePath($relPath); $this->assertDatabaseHas("\x69\x6d\141\147\x65\163", array("\165\162\154" => $this->baseUrl . $relPath, "\x74\x79\160\x65" => "\147\141\154\x6c\145\x72\171", "\165\160\x6c\157\x61\144\x65\144\x5f\164\157" => $page->id, "\x70\141\164\150" => $relPath, "\143\162\145\141\x74\x65\144\x5f\x62\x79" => $admin->id, "\165\160\144\x61\x74\x65\144\137\142\171" => $admin->id, "\x6e\141\x6d\145" => $imgDetails["\156\x61\x6d\x65"])); } public function test_image_display_thumbnail_generation_does_not_increase_image_size() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $originalFile = $this->files->testFilePath("\x63\x6f\x6d\x70\x72\x65\x73\x73\x65\144\x2e\x70\x6e\147"); $originalFileSize = filesize($originalFile); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page, "\x63\x6f\x6d\160\x72\x65\163\163\145\144\56\160\x6e\x67"); $relPath = $imgDetails["\x70\141\x74\x68"]; $this->assertTrue(file_exists(public_path($relPath)), "\x55\160\x6c\157\x61\x64\145\144\40\x69\x6d\x61\147\x65\x20\x66\x6f\x75\x6e\x64\40\141\x74\x20\x70\141\x74\150\x3a\40" . public_path($relPath)); $displayImage = $imgDetails["\x72\145\x73\x70\157\156\163\145"]->thumbs->display; $displayImageRelPath = implode("\x2f", array_slice(explode("\x2f", $displayImage), 3)); $displayImagePath = public_path($displayImageRelPath); $displayFileSize = filesize($displayImagePath); $this->files->deleteAtRelativePath($relPath); $this->files->deleteAtRelativePath($displayImageRelPath); $this->assertEquals($originalFileSize, $displayFileSize, "\104\151\163\160\154\141\x79\40\x74\x68\165\x6d\142\x6e\x61\x69\x6c\x20\x67\x65\x6e\145\162\141\x74\x69\x6f\x6e\40\163\150\157\165\x6c\x64\x20\x6e\157\x74\x20\151\x6e\x63\162\145\x61\x73\x65\x20\151\x6d\x61\x67\x65\40\x73\x69\172\145"); } public function test_image_display_thumbnail_generation_for_apng_images_uses_original_file() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page, "\141\156\151\x6d\x61\x74\x65\144\56\x70\x6e\147"); $this->files->deleteAtRelativePath($imgDetails["\160\141\x74\x68"]); $this->assertStringContainsString("\x74\x68\x75\x6d\x62\163\x2d", $imgDetails["\162\145\x73\x70\x6f\x6e\163\x65"]->thumbs->gallery); $this->assertStringNotContainsString("\x74\150\x75\155\x62\x73\x2d", $imgDetails["\x72\145\163\160\x6f\x6e\x73\145"]->thumbs->display); } public function test_image_edit() { $editor = $this->users->editor(); $this->actingAs($editor); $imgDetails = $this->files->uploadGalleryImageToPage($this, $this->entities->page()); $image = Image::query()->first(); $newName = Str::random(); $update = $this->put("\x2f\x69\x6d\141\147\145\163\57" . $image->id, array("\156\141\x6d\145" => $newName)); $update->assertSuccessful(); $update->assertSee($newName); $this->files->deleteAtRelativePath($imgDetails["\x70\x61\x74\150"]); $this->assertDatabaseHas("\x69\x6d\141\147\145\163", array("\x74\171\160\x65" => "\x67\141\x6c\x6c\x65\x72\x79", "\156\141\x6d\145" => $newName)); } public function test_image_file_update() { $page = $this->entities->page(); $this->asEditor(); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $relPath = $imgDetails["\x70\x61\x74\x68"]; $newUpload = $this->files->uploadedImage("\165\x70\144\141\x74\x65\x64\55\151\155\x61\147\145\x2e\x70\x6e\147", "\x63\157\155\x70\162\145\x73\x73\145\144\56\x70\156\x67"); $this->assertFileEquals($this->files->testFilePath("\164\x65\163\164\55\x69\155\x61\147\x65\x2e\160\156\x67"), public_path($relPath)); $imageId = $imgDetails["\x72\145\163\160\157\x6e\163\x65"]->id; $image = Image::findOrFail($imageId); $image->updated_at = now()->subMonth(); $image->save(); $this->call("\120\125\x54", "\57\x69\155\x61\x67\x65\163\x2f{$imageId}\57\146\x69\154\x65", array(), array(), array("\146\x69\x6c\145" => $newUpload))->assertOk(); $this->assertFileEquals($this->files->testFilePath("\143\157\x6d\160\162\x65\163\163\x65\144\x2e\x70\x6e\x67"), public_path($relPath)); $image->refresh(); $this->assertTrue($image->updated_at->gt(now()->subMinute())); $this->files->deleteAtRelativePath($relPath); } public function test_image_file_update_does_not_allow_change_in_image_extension() { $page = $this->entities->page(); $this->asEditor(); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $relPath = $imgDetails["\160\x61\x74\x68"]; $newUpload = $this->files->uploadedImage("\165\160\x64\141\164\145\144\x2d\x69\155\141\147\145\56\x6a\x70\147", "\143\157\155\160\x72\145\x73\163\145\x64\x2e\160\156\x67"); $imageId = $imgDetails["\162\x65\163\x70\x6f\156\163\x65"]->id; $this->call("\120\125\124", "\57\151\x6d\x61\x67\145\163\57{$imageId}\57\146\151\154\x65", array(), array(), array("\146\151\x6c\x65" => $newUpload))->assertJson(array("\x6d\145\x73\163\x61\147\145" => "\111\155\141\x67\145\40\146\151\x6c\x65\x20\162\x65\160\x6c\141\x63\145\x6d\145\156\164\x73\x20\x6d\x75\163\164\40\142\x65\x20\157\146\40\x74\x68\145\40\163\x61\155\x65\40\164\x79\x70\145", "\163\164\141\x74\x75\163" => "\x65\x72\162\157\162")); $this->files->deleteAtRelativePath($relPath); } public function test_gallery_get_list_format() { $this->asEditor(); $imgDetails = $this->files->uploadGalleryImageToPage($this, $this->entities->page()); $image = Image::query()->first(); $pageId = $imgDetails["\x70\141\147\x65"]->id; $firstPageRequest = $this->get("\57\151\x6d\141\147\145\x73\57\x67\x61\x6c\x6c\x65\x72\171\x3f\x70\141\x67\x65\x3d\61\x26\x75\160\x6c\157\141\144\145\144\137\164\x6f\x3d{$pageId}"); $firstPageRequest->assertSuccessful(); $this->withHtml($firstPageRequest)->assertElementExists("\144\x69\x76"); $firstPageRequest->assertSuccessful()->assertSeeText($image->name); $secondPageRequest = $this->get("\57\x69\155\141\147\x65\x73\x2f\x67\141\154\x6c\x65\162\x79\x3f\160\141\147\145\75\62\x26\165\160\x6c\x6f\141\x64\145\x64\137\x74\x6f\x3d{$pageId}"); $secondPageRequest->assertSuccessful(); $this->withHtml($secondPageRequest)->assertElementNotExists("\144\x69\166"); $namePartial = substr($imgDetails["\156\141\155\145"], 0, 3); $searchHitRequest = $this->get("\x2f\x69\x6d\x61\x67\x65\163\57\147\x61\x6c\x6c\145\162\171\x3f\x70\x61\x67\x65\x3d\61\x26\165\160\154\157\x61\144\145\x64\x5f\164\157\x3d{$pageId}\46\x73\145\x61\x72\x63\150\x3d{$namePartial}"); $searchHitRequest->assertSuccessful()->assertSee($imgDetails["\156\x61\155\145"]); $namePartial = Str::random(16); $searchFailRequest = $this->get("\57\151\155\x61\x67\145\163\57\147\141\154\x6c\145\x72\171\x3f\160\141\x67\145\x3d\61\x26\x75\160\x6c\x6f\141\x64\x65\144\x5f\x74\157\75{$pageId}\x26\163\145\x61\x72\143\x68\75{$namePartial}"); $searchFailRequest->assertSuccessful()->assertDontSee($imgDetails["\x6e\141\x6d\145"]); $searchFailRequest->assertSuccessful(); $this->withHtml($searchFailRequest)->assertElementNotExists("\144\151\166"); } public function test_image_gallery_lists_for_draft_page() { $this->actingAs($this->users->editor()); $draft = $this->entities->newDraftPage(); $this->files->uploadGalleryImageToPage($this, $draft); $image = Image::query()->where("\x75\160\154\x6f\x61\144\x65\x64\x5f\x74\157", "\75", $draft->id)->firstOrFail(); $resp = $this->get("\x2f\151\x6d\141\147\145\x73\x2f\x67\x61\154\x6c\x65\x72\171\x3f\160\141\x67\145\x3d\x31\46\165\x70\x6c\x6f\x61\x64\x65\144\137\164\x6f\x3d{$draft->id}"); $resp->assertSee($image->getThumb(150, 150)); } public function test_image_usage() { $page = $this->entities->page(); $editor = $this->users->editor(); $this->actingAs($editor); $imgDetails = $this->files->uploadGalleryImageToPage($this, $page); $image = Image::query()->first(); $page->html = "\x3c\x69\x6d\147\x20\x73\x72\x63\75\42" . $image->url . "\42\x3e"; $page->save(); $usage = $this->get("\x2f\151\x6d\141\x67\x65\163\x2f\x65\x64\151\164\x2f" . $image->id . "\x3f\x64\145\x6c\145\x74\x65\x3d\164\x72\x75\x65"); $usage->assertSuccessful(); $usage->assertSeeText($page->name); $usage->assertSee($page->getUrl()); $this->files->deleteAtRelativePath($imgDetails["\x70\x61\164\150"]); } public function test_php_files_cannot_be_uploaded() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $fileName = "\x62\x61\x64\56\x70\150\160"; $relPath = $this->files->expectedImagePath("\147\x61\x6c\x6c\145\x72\171", $fileName); $this->files->deleteAtRelativePath($relPath); $file = $this->files->imageFromBase64File("\142\141\x64\55\x70\x68\160\56\142\x61\163\x65\x36\x34", $fileName); $upload = $this->withHeader("\103\x6f\x6e\164\145\x6e\164\55\x54\171\160\x65", "\151\155\141\147\145\x2f\152\x70\x65\147")->call("\x50\117\123\x54", "\x2f\x69\155\141\x67\145\163\x2f\x67\141\154\x6c\x65\162\171", array("\165\160\154\157\x61\x64\145\144\x5f\164\157" => $page->id), array(), array("\146\151\154\x65" => $file), array()); $upload->assertStatus(500); $this->assertStringContainsString("\124\x68\x65\x20\146\x69\154\145\x20\x6d\x75\x73\x74\40\150\x61\166\145\x20\x61\x20\x76\141\154\151\144\x20\x26\x20\163\165\x70\x70\157\x72\x74\145\x64\x20\x69\155\141\x67\145\40\145\x78\164\145\x6e\163\x69\157\156", $upload->json("\x6d\x65\x73\x73\x61\x67\x65")); $this->assertFalse(file_exists(public_path($relPath)), "\125\x70\x6c\x6f\x61\x64\145\144\x20\160\150\160\40\146\x69\x6c\x65\40\x77\141\163\40\165\160\x6c\157\x61\x64\145\144\x20\142\x75\x74\40\163\x68\157\165\x6c\144\40\150\141\166\145\40\142\145\145\x6e\x20\x73\x74\x6f\x70\160\145\x64"); $this->assertDatabaseMissing("\x69\155\141\147\x65\163", array("\x74\x79\160\x65" => "\147\141\154\154\x65\x72\171", "\x6e\x61\x6d\145" => $fileName)); } public function test_php_like_files_cannot_be_uploaded() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $fileName = "\x62\141\144\56\160\150\x74\155\154"; $relPath = $this->files->expectedImagePath("\147\141\x6c\x6c\x65\x72\171", $fileName); $this->files->deleteAtRelativePath($relPath); $file = $this->files->imageFromBase64File("\142\141\144\x2d\160\x68\x74\155\x6c\56\142\141\163\145\x36\x34", $fileName); $upload = $this->withHeader("\x43\x6f\156\x74\x65\x6e\x74\55\124\x79\x70\145", "\151\x6d\141\147\x65\x2f\x6a\160\145\147")->call("\120\117\123\x54", "\x2f\151\155\x61\x67\x65\x73\x2f\x67\141\x6c\x6c\145\162\x79", array("\165\x70\x6c\x6f\x61\x64\145\x64\x5f\164\x6f" => $page->id), array(), array("\146\151\x6c\145" => $file), array()); $upload->assertStatus(500); $this->assertStringContainsString("\124\150\x65\x20\x66\x69\x6c\145\x20\155\x75\x73\x74\x20\150\141\x76\x65\x20\x61\40\x76\x61\x6c\151\144\40\46\40\x73\165\160\x70\x6f\x72\x74\x65\x64\x20\151\155\141\x67\x65\x20\145\x78\x74\x65\156\163\151\157\156", $upload->json("\x6d\x65\163\163\x61\147\145")); $this->assertFalse(file_exists(public_path($relPath)), "\x55\x70\154\157\x61\x64\x65\144\x20\160\x68\x70\40\x66\151\154\145\x20\x77\141\163\40\x75\x70\x6c\x6f\141\144\145\x64\40\142\165\x74\40\163\x68\x6f\x75\x6c\x64\40\x68\x61\166\x65\40\x62\x65\145\156\40\163\164\x6f\160\160\145\x64"); } public function test_files_with_double_extensions_will_get_sanitized() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $fileName = "\142\141\144\x2e\160\x68\164\155\154\56\160\156\x67"; $relPath = $this->files->expectedImagePath("\147\141\154\x6c\x65\162\171", $fileName); $expectedRelPath = dirname($relPath) . "\57\142\141\144\55\x70\150\x74\x6d\154\56\160\x6e\147"; $this->files->deleteAtRelativePath($expectedRelPath); $file = $this->files->imageFromBase64File("\x62\141\144\x2d\160\x68\x74\155\154\55\x70\156\x67\56\x62\141\163\x65\x36\x34", $fileName); $upload = $this->withHeader("\x43\157\156\164\145\x6e\164\x2d\124\x79\x70\x65", "\x69\x6d\x61\x67\145\57\160\156\x67")->call("\x50\117\123\124", "\x2f\x69\x6d\x61\147\x65\x73\57\147\141\x6c\154\145\162\171", array("\165\160\x6c\x6f\x61\x64\145\144\137\x74\x6f" => $page->id), array(), array("\146\151\x6c\145" => $file), array()); $upload->assertStatus(200); $lastImage = Image::query()->latest("\151\x64")->first(); $this->assertEquals("\142\x61\x64\x2e\x70\x68\x74\155\x6c\x2e\x70\156\x67", $lastImage->name); $this->assertEquals("\x62\x61\x64\55\x70\x68\164\155\x6c\x2e\160\x6e\x67", basename($lastImage->path)); $this->assertFileDoesNotExist(public_path($relPath), "\125\x70\154\x6f\x61\x64\145\144\x20\151\x6d\141\x67\x65\40\146\x69\154\145\x20\x6e\x61\155\x65\40\x77\x61\x73\40\156\157\164\x20\x73\x74\162\151\x70\x70\145\144\40\x6f\146\x20\x64\x6f\x74\163"); $this->assertFileExists(public_path($expectedRelPath)); $this->files->deleteAtRelativePath($lastImage->path); } public function test_url_entities_removed_from_filenames() { $this->asEditor(); $badNames = array("\x62\141\144\55\143\150\x61\x72\x2d\x23\x2d\x69\x6d\141\147\x65\56\160\x6e\147", "\x62\x61\x64\x2d\143\x68\x61\x72\x2d\77\55\x69\x6d\x61\147\145\x2e\160\156\x67", "\x3f\43\56\160\x6e\x67", "\77\56\160\x6e\x67", "\x23\56\160\x6e\x67"); foreach ($badNames as $name) { $galleryFile = $this->files->uploadedImage($name); $page = $this->entities->page(); $badPath = $this->files->expectedImagePath("\147\141\x6c\154\145\x72\x79", $name); $this->files->deleteAtRelativePath($badPath); $upload = $this->call("\120\117\123\124", "\57\x69\155\141\x67\145\x73\57\x67\141\x6c\154\145\162\171", array("\x75\x70\154\157\141\144\x65\x64\x5f\164\x6f" => $page->id), array(), array("\x66\151\x6c\145" => $galleryFile), array()); $upload->assertStatus(200); $lastImage = Image::query()->latest("\151\144")->first(); $newFileName = explode("\56", basename($lastImage->path))[0]; $this->assertEquals($lastImage->name, $name); $this->assertFalse(strpos($lastImage->path, $name), "\x50\141\164\x68\x20\143\x6f\156\164\141\151\156\x73\40\x6f\162\151\147\x69\156\x61\x6c\x20\x69\155\x61\147\x65\40\x6e\141\x6d\145"); $this->assertFalse(file_exists(public_path($badPath)), "\125\x70\154\x6f\x61\144\x65\x64\40\x69\x6d\x61\147\x65\40\146\x69\154\145\40\x6e\x61\x6d\x65\40\167\x61\x73\x20\x6e\x6f\164\40\x73\x74\162\x69\160\160\145\x64\40\x6f\146\40\165\162\154\x20\145\x6e\164\151\164\151\145\163"); $this->assertTrue(strlen($newFileName) > 0, "\x46\151\154\145\x20\x6e\141\155\x65\x20\167\x61\163\x20\x72\145\144\x75\x63\x65\144\40\x74\x6f\40\156\x6f\x74\150\x69\x6e\x67"); $this->files->deleteAtRelativePath($lastImage->path); } } public function test_secure_images_uploads_to_correct_place() { config()->set("\x66\151\x6c\145\163\x79\163\x74\x65\155\x73\56\x69\155\141\x67\x65\163", "\154\x6f\x63\x61\154\x5f\x73\145\x63\165\x72\x65"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("\155\171\x2d\x73\145\143\x75\x72\x65\x2d\x74\145\x73\x74\55\x75\x70\x6c\x6f\141\x64\56\x70\156\x67"); $page = $this->entities->page(); $expectedPath = storage_path("\165\x70\x6c\157\141\144\163\57\x69\155\x61\x67\145\x73\x2f\x67\x61\154\154\x65\162\x79\x2f" . date("\131\x2d\155") . "\x2f\155\171\55\x73\x65\x63\x75\x72\145\55\x74\x65\x73\164\55\x75\160\154\157\x61\x64\56\160\x6e\147"); $upload = $this->call("\x50\x4f\123\x54", "\x2f\x69\x6d\x61\147\145\x73\x2f\x67\141\x6c\154\145\162\x79", array("\x75\160\154\x6f\x61\x64\145\144\137\164\157" => $page->id), array(), array("\146\151\154\145" => $galleryFile), array()); $upload->assertStatus(200); $this->assertTrue(file_exists($expectedPath), "\125\160\x6c\x6f\141\144\145\144\x20\151\155\x61\147\145\x20\x6e\157\164\40\146\157\165\x6e\x64\40\x61\164\x20\x70\141\x74\x68\x3a\40" . $expectedPath); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_image_paths_traversal_causes_500() { config()->set("\146\151\154\x65\163\x79\x73\164\145\x6d\x73\x2e\x69\x6d\141\x67\x65\x73", "\x6c\x6f\143\141\x6c\137\163\145\x63\x75\x72\x65"); $this->asEditor(); $resp = $this->get("\x2f\x75\x70\154\x6f\141\x64\163\57\x69\155\x61\x67\145\x73\57\x2e\x2e\x2f\56\56\57\x6c\x6f\x67\x73\x2f\x6c\141\162\141\166\145\154\x2e\x6c\157\147"); $resp->assertStatus(500); } public function test_secure_image_paths_traversal_on_non_secure_images_causes_404() { config()->set("\x66\x69\x6c\145\x73\171\163\164\x65\155\163\x2e\151\155\x61\x67\145\163", "\154\x6f\x63\x61\154"); $this->asEditor(); $resp = $this->get("\57\165\x70\154\157\141\144\x73\x2f\x69\x6d\141\x67\x65\163\x2f\x2e\x2e\x2f\x2e\56\57\x6c\x6f\147\x73\x2f\x6c\x61\x72\141\166\145\x6c\56\154\157\147"); $resp->assertStatus(404); } public function test_secure_image_paths_dont_serve_non_images() { config()->set("\x66\x69\x6c\145\x73\171\163\x74\145\155\x73\x2e\151\x6d\141\x67\145\163", "\x6c\157\x63\141\x6c\x5f\163\x65\143\165\162\145"); $this->asEditor(); $testFilePath = storage_path("\x2f\165\160\x6c\157\x61\x64\x73\57\x69\155\x61\x67\x65\x73\x2f\x74\x65\163\x74\x69\156\147\x2e\x74\170\164"); file_put_contents($testFilePath, "\x68\x65\x6c\154\x6f\40\x66\x72\x6f\x6d\x20\164\145\163\164\137\x73\x65\x63\165\162\145\137\151\x6d\141\147\x65\x5f\160\141\164\x68\x73\x5f\x64\157\x6e\164\137\x73\x65\162\x76\x65\137\156\157\x6e\137\151\x6d\141\147\x65\x73"); $resp = $this->get("\x2f\x75\x70\x6c\157\141\x64\163\57\x69\155\141\x67\145\x73\x2f\164\145\163\164\x69\156\147\x2e\164\x78\164"); $resp->assertStatus(404); } public function test_secure_images_included_in_exports() { config()->set("\146\x69\154\x65\163\171\x73\x74\x65\x6d\163\x2e\151\155\x61\147\145\x73", "\x6c\x6f\x63\141\x6c\x5f\163\x65\x63\x75\x72\x65"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("\155\171\55\x73\x65\143\165\162\145\x2d\164\x65\163\x74\x2d\x75\160\x6c\157\x61\144\x2e\160\156\147"); $page = $this->entities->page(); $expectedPath = storage_path("\165\x70\154\157\x61\x64\x73\57\151\x6d\x61\x67\x65\x73\57\x67\x61\x6c\x6c\145\x72\x79\57" . date("\x59\x2d\155") . "\57\x6d\x79\x2d\x73\x65\x63\165\x72\x65\x2d\164\145\163\x74\55\165\160\x6c\x6f\141\144\x2e\x70\156\x67"); $upload = $this->call("\120\117\123\x54", "\x2f\x69\x6d\141\x67\x65\163\x2f\147\141\154\154\x65\162\x79", array("\x75\x70\x6c\x6f\141\144\145\144\x5f\x74\157" => $page->id), array(), array("\146\x69\x6c\x65" => $galleryFile), array()); $imageUrl = json_decode($upload->getContent(), true)["\x75\x72\154"]; $page->html .= "\74\151\155\147\x20\163\x72\143\75\42{$imageUrl}\42\x3e"; $page->save(); $upload->assertStatus(200); $encodedImageContent = base64_encode(file_get_contents($expectedPath)); $export = $this->get($page->getUrl("\57\145\x78\x70\x6f\162\x74\57\x68\x74\x6d\154")); $this->assertTrue(strpos($export->getContent(), $encodedImageContent) !== false, "\125\x70\x6c\157\141\x64\x65\x64\x20\151\x6d\x61\147\145\x20\x69\156\x20\x65\x78\160\157\162\164\40\x63\x6f\156\x74\145\156\164"); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_system_images_remain_public_with_local_secure() { config()->set("\x66\151\154\x65\x73\x79\x73\164\x65\155\163\x2e\x69\155\x61\x67\145\x73", "\154\157\x63\x61\154\x5f\x73\145\143\x75\162\145"); $this->asAdmin(); $galleryFile = $this->files->uploadedImage("\155\171\x2d\163\171\163\164\145\x6d\55\x74\145\163\164\x2d\165\x70\154\157\141\x64\56\160\x6e\147"); $expectedPath = public_path("\165\x70\154\157\141\x64\x73\x2f\151\x6d\141\147\145\x73\x2f\163\171\163\x74\145\155\57" . date("\x59\55\x6d") . "\x2f\x6d\x79\x2d\163\171\163\x74\x65\155\x2d\164\x65\163\x74\55\165\x70\154\x6f\141\144\56\x70\x6e\x67"); $upload = $this->call("\120\117\x53\124", "\57\x73\145\x74\164\151\156\x67\x73\57\143\165\x73\164\x6f\x6d\x69\x7a\141\x74\x69\157\x6e", array(), array(), array("\x61\160\160\x5f\154\157\x67\157" => $galleryFile), array()); $upload->assertRedirect("\57\163\x65\x74\164\151\x6e\x67\163\57\143\x75\x73\x74\157\x6d\x69\172\141\x74\x69\x6f\x6e"); $this->assertTrue(file_exists($expectedPath), "\125\160\x6c\x6f\141\x64\145\x64\x20\x69\x6d\141\x67\145\40\x6e\157\x74\x20\x66\x6f\165\156\144\x20\x61\x74\x20\160\x61\164\x68\72\x20" . $expectedPath); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_images_not_tracked_in_session_history() { config()->set("\x66\151\154\x65\163\x79\x73\164\x65\x6d\163\x2e\x69\155\x61\147\x65\x73", "\154\157\x63\x61\154\137\163\x65\x63\x75\x72\x65"); $this->asEditor(); $page = $this->entities->page(); $result = $this->files->uploadGalleryImageToPage($this, $page); $expectedPath = storage_path($result["\x70\141\164\150"]); $this->assertFileExists($expectedPath); $this->get("\x2f\142\x6f\x6f\153\163"); $this->assertEquals(url("\57\142\x6f\157\x6b\x73"), session()->previousUrl()); $resp = $this->get($result["\x70\141\164\x68"]); $resp->assertOk(); $resp->assertHeader("\103\x6f\156\x74\x65\x6e\164\x2d\x54\x79\x70\145", "\151\155\x61\x67\x65\57\x70\x6e\x67"); $this->assertEquals(url("\x2f\142\x6f\157\x6b\163"), session()->previousUrl()); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_system_images_remain_public_with_local_secure_restricted() { config()->set("\x66\151\154\x65\x73\x79\163\164\145\155\163\56\x69\155\141\x67\145\x73", "\x6c\157\x63\141\154\137\163\x65\x63\165\162\x65\137\x72\145\163\x74\x72\151\143\164\145\144"); $this->asAdmin(); $galleryFile = $this->files->uploadedImage("\x6d\171\55\163\x79\163\x74\145\155\x2d\x74\145\x73\x74\x2d\x72\145\163\x74\x72\x69\x63\164\145\x64\x2d\165\160\x6c\x6f\x61\x64\56\x70\156\147"); $expectedPath = public_path("\x75\x70\154\x6f\x61\x64\x73\x2f\x69\155\x61\x67\145\x73\x2f\x73\x79\163\x74\x65\155\x2f" . date("\131\x2d\155") . "\x2f\x6d\x79\x2d\x73\x79\163\164\145\x6d\55\x74\x65\x73\x74\x2d\162\x65\163\x74\x72\151\143\x74\145\144\x2d\165\160\x6c\x6f\141\144\56\160\x6e\147"); $upload = $this->call("\120\x4f\123\x54", "\57\163\x65\164\x74\151\156\147\163\57\x63\x75\163\164\157\155\x69\x7a\141\164\x69\157\156", array(), array(), array("\x61\x70\160\137\x6c\157\147\x6f" => $galleryFile), array()); $upload->assertRedirect("\x2f\163\145\164\164\151\156\147\163\57\143\165\163\x74\x6f\x6d\151\172\x61\x74\151\x6f\156"); $this->assertTrue(file_exists($expectedPath), "\x55\x70\x6c\x6f\x61\144\x65\144\x20\151\155\x61\x67\x65\x20\x6e\x6f\x74\x20\146\x6f\x75\156\144\40\141\x74\x20\160\141\164\x68\72\40" . $expectedPath); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_restricted_images_inaccessible_without_relation_permission() { config()->set("\146\151\x6c\x65\163\171\163\164\145\155\x73\56\151\155\x61\147\x65\163", "\154\x6f\143\x61\154\x5f\x73\x65\x63\x75\162\145\x5f\162\145\163\x74\x72\x69\x63\164\x65\144"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("\x6d\x79\55\163\x65\x63\165\162\145\x2d\162\x65\x73\164\162\151\x63\164\x65\x64\x2d\164\145\163\x74\55\x75\x70\154\x6f\x61\144\56\160\156\x67"); $page = $this->entities->page(); $upload = $this->call("\120\117\x53\124", "\x2f\x69\155\x61\147\x65\x73\57\147\x61\x6c\154\x65\x72\171", array("\165\160\x6c\x6f\141\144\145\144\137\x74\157" => $page->id), array(), array("\146\151\154\x65" => $galleryFile), array()); $upload->assertStatus(200); $expectedUrl = url("\x75\x70\154\157\141\x64\163\57\x69\x6d\x61\147\x65\x73\57\147\x61\154\154\x65\x72\x79\57" . date("\131\55\155") . "\57\x6d\x79\x2d\x73\145\143\165\x72\145\x2d\162\x65\x73\x74\x72\x69\x63\164\145\x64\x2d\164\145\x73\164\x2d\165\160\154\157\x61\144\56\x70\x6e\147"); $expectedPath = storage_path("\x75\x70\x6c\157\141\144\163\x2f\x69\x6d\141\147\145\x73\57\x67\141\154\154\145\162\171\57" . date("\x59\55\155") . "\57\x6d\x79\55\163\x65\143\x75\x72\145\55\162\x65\x73\164\x72\x69\x63\x74\x65\x64\x2d\164\145\x73\x74\x2d\x75\160\154\x6f\x61\144\56\160\156\147"); $this->get($expectedUrl)->assertOk(); $this->permissions->setEntityPermissions($page, array(), array()); $resp = $this->get($expectedUrl); $resp->assertNotFound(); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_thumbnail_path_handled_by_secure_restricted_images() { config()->set("\146\151\x6c\x65\163\171\x73\x74\145\155\x73\x2e\151\155\x61\x67\145\x73", "\x6c\157\x63\x61\154\137\163\145\x63\x75\x72\x65\137\162\145\x73\x74\x72\x69\143\x74\x65\x64"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("\155\x79\55\x73\x65\143\165\162\x65\x2d\162\145\x73\164\162\x69\143\164\x65\144\x2d\164\150\x75\x6d\x62\55\x74\x65\163\x74\x2d\x74\x65\x73\x74\56\160\156\147"); $page = $this->entities->page(); $upload = $this->call("\120\x4f\123\124", "\57\151\x6d\141\x67\145\163\57\147\141\x6c\x6c\145\162\171", array("\x75\x70\x6c\157\x61\144\145\x64\x5f\164\x6f" => $page->id), array(), array("\146\151\x6c\145" => $galleryFile), array()); $upload->assertStatus(200); $expectedUrl = url("\x75\160\x6c\157\x61\144\163\57\x69\x6d\141\x67\145\x73\x2f\x67\x61\154\x6c\145\x72\171\57" . date("\131\55\x6d") . "\57\x74\150\165\155\x62\163\55\61\x35\x30\x2d\x31\65\x30\x2f\155\171\55\163\145\x63\165\162\x65\x2d\x72\x65\x73\164\162\151\x63\x74\x65\144\x2d\164\150\x75\x6d\x62\x2d\x74\145\x73\164\x2d\164\145\163\x74\56\160\x6e\147"); $expectedPath = storage_path("\x75\160\154\x6f\141\x64\x73\x2f\151\155\141\x67\145\163\57\x67\x61\154\154\x65\x72\x79\x2f" . date("\x59\55\155") . "\x2f\x6d\171\x2d\x73\145\x63\165\x72\x65\55\162\x65\x73\164\162\x69\143\x74\x65\144\55\164\x68\165\155\142\55\164\x65\163\x74\x2d\164\x65\163\164\56\160\x6e\x67"); $this->get($expectedUrl)->assertOk(); $this->permissions->setEntityPermissions($page, array(), array()); $resp = $this->get($expectedUrl); $resp->assertNotFound(); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_secure_restricted_image_access_controlled_in_exports() { config()->set("\146\151\154\145\x73\171\163\164\145\x6d\x73\56\x69\155\x61\147\x65\163", "\154\157\x63\x61\154\x5f\163\x65\143\165\162\145\x5f\x72\145\163\x74\162\x69\143\x74\x65\144"); $this->asEditor(); $galleryFile = $this->files->uploadedImage("\x6d\x79\x2d\163\145\143\165\x72\x65\55\162\145\163\x74\162\x69\x63\x74\145\144\55\145\x78\x70\x6f\162\x74\55\x74\145\x73\x74\x2e\160\156\x67"); $pageA = $this->entities->page(); $pageB = $this->entities->page(); $expectedPath = storage_path("\x75\x70\x6c\x6f\x61\x64\163\x2f\x69\x6d\141\147\145\x73\x2f\147\x61\154\x6c\145\x72\x79\x2f" . date("\131\x2d\x6d") . "\57\x6d\171\55\163\145\x63\165\x72\145\55\162\x65\x73\x74\162\x69\x63\164\145\x64\55\x65\170\x70\x6f\162\x74\55\x74\145\x73\164\x2e\x70\x6e\147"); $upload = $this->asEditor()->call("\x50\x4f\123\x54", "\57\151\155\x61\x67\145\x73\57\x67\141\154\154\145\x72\171", array("\x75\160\x6c\x6f\141\x64\x65\144\x5f\164\x6f" => $pageA->id), array(), array("\146\x69\x6c\x65" => $galleryFile), array()); $upload->assertOk(); $imageUrl = json_decode($upload->getContent(), true)["\x75\162\154"]; $pageB->html .= "\x3c\x69\155\x67\x20\x73\162\143\75\x22{$imageUrl}\x22\76"; $pageB->save(); $encodedImageContent = base64_encode(file_get_contents($expectedPath)); $export = $this->get($pageB->getUrl("\57\145\170\x70\157\x72\164\57\x68\164\x6d\154")); $this->assertStringContainsString($encodedImageContent, $export->getContent()); $this->permissions->setEntityPermissions($pageA, array(), array()); $export = $this->get($pageB->getUrl("\57\x65\x78\160\157\x72\x74\57\x68\164\155\x6c")); $this->assertStringNotContainsString($encodedImageContent, $export->getContent()); if (file_exists($expectedPath)) { unlink($expectedPath); } } public function test_image_delete() { $page = $this->entities->page(); $this->asAdmin(); $imageName = "\x66\151\x72\163\164\x2d\151\155\x61\147\145\56\160\156\147"; $relPath = $this->files->expectedImagePath("\147\x61\x6c\154\145\162\x79", $imageName); $this->files->deleteAtRelativePath($relPath); $this->files->uploadGalleryImage($this, $imageName, $page->id); $image = Image::first(); $delete = $this->delete("\x2f\151\155\141\147\x65\x73\x2f" . $image->id); $delete->assertStatus(200); $this->assertDatabaseMissing("\151\x6d\x61\147\x65\x73", array("\x75\162\154" => $this->baseUrl . $relPath, "\164\x79\x70\x65" => "\x67\x61\154\x6c\145\162\171")); $this->assertFalse(file_exists(public_path($relPath)), "\x55\160\x6c\157\x61\144\x65\144\40\151\x6d\x61\147\x65\40\150\x61\163\40\156\x6f\164\40\x62\145\x65\x6e\x20\x64\145\x6c\145\164\145\144\x20\141\x73\40\x65\170\x70\145\143\x74\145\x64"); } public function test_image_delete_does_not_delete_similar_images() { $page = $this->entities->page(); $this->asAdmin(); $imageName = "\146\x69\x72\x73\x74\x2d\151\x6d\141\x67\x65\x2e\160\x6e\147"; $relPath = $this->files->expectedImagePath("\147\x61\154\x6c\x65\x72\x79", $imageName); $this->files->deleteAtRelativePath($relPath); $this->files->uploadGalleryImage($this, $imageName, $page->id); $this->files->uploadGalleryImage($this, $imageName, $page->id); $this->files->uploadGalleryImage($this, $imageName, $page->id); $image = Image::first(); $folder = public_path(dirname($relPath)); $imageCount = count(glob($folder . "\x2f\52")); $delete = $this->delete("\x2f\x69\155\x61\x67\x65\x73\57" . $image->id); $delete->assertStatus(200); $newCount = count(glob($folder . "\x2f\52")); $this->assertEquals($imageCount - 1, $newCount, "\x4d\157\162\145\x20\146\x69\x6c\145\x73\40\x74\150\141\x6e\40\145\170\x70\145\x63\164\145\144\40\150\141\x76\145\x20\x62\x65\145\156\40\x64\x65\154\145\164\x65\x64"); $this->assertFalse(file_exists(public_path($relPath)), "\125\160\x6c\x6f\x61\144\145\x64\40\x69\x6d\141\147\x65\40\x68\141\163\x20\x6e\157\164\x20\142\x65\x65\x6e\40\x64\145\154\x65\x74\145\144\x20\141\163\x20\x65\170\x70\x65\x63\x74\145\x64"); } public function test_image_manager_delete_button_only_shows_with_permission() { $page = $this->entities->page(); $this->asAdmin(); $imageName = "\x66\x69\162\x73\x74\x2d\x69\x6d\141\147\145\x2e\x70\156\147"; $relPath = $this->files->expectedImagePath("\x67\141\154\x6c\145\162\x79", $imageName); $this->files->deleteAtRelativePath($relPath); $viewer = $this->users->viewer(); $this->files->uploadGalleryImage($this, $imageName, $page->id); $image = Image::first(); $resp = $this->get("\57\151\x6d\141\x67\x65\x73\x2f\145\144\151\164\57{$image->id}"); $this->withHtml($resp)->assertElementExists("\x62\165\x74\x74\157\156\43\151\x6d\x61\x67\145\x2d\155\x61\156\141\147\x65\x72\55\x64\145\x6c\145\x74\145"); $resp = $this->actingAs($viewer)->get("\x2f\151\x6d\141\147\x65\163\57\x65\144\151\164\x2f{$image->id}"); $this->withHtml($resp)->assertElementNotExists("\x62\x75\x74\x74\x6f\156\x23\x69\155\141\x67\145\55\155\x61\156\x61\147\x65\162\55\144\x65\154\145\x74\x65"); $this->permissions->grantUserRolePermissions($viewer, array("\x69\155\141\147\x65\x2d\x64\145\x6c\145\164\145\55\141\x6c\154")); $resp = $this->actingAs($viewer)->get("\57\x69\x6d\141\147\x65\x73\57\145\x64\x69\x74\57{$image->id}"); $this->withHtml($resp)->assertElementExists("\x62\x75\164\164\157\156\x23\x69\155\141\147\145\x2d\x6d\141\x6e\x61\147\x65\162\55\x64\145\x6c\x65\x74\145"); $this->files->deleteAtRelativePath($relPath); } public function test_image_manager_regen_thumbnails() { $this->asEditor(); $imageName = "\146\x69\x72\163\x74\x2d\x69\155\141\147\x65\56\x70\156\147"; $relPath = $this->files->expectedImagePath("\147\141\x6c\x6c\145\x72\171", $imageName); $this->files->deleteAtRelativePath($relPath); $this->files->uploadGalleryImage($this, $imageName, $this->entities->page()->id); $image = Image::first(); $resp = $this->get("\57\151\x6d\x61\147\x65\163\x2f\145\144\x69\164\x2f{$image->id}"); $this->withHtml($resp)->assertElementExists("\x62\165\x74\x74\157\x6e\43\151\x6d\141\147\x65\x2d\155\x61\x6e\141\x67\x65\162\x2d\x72\145\x62\165\151\154\x64\55\164\x68\165\x6d\142\163"); $expectedThumbPath = dirname($relPath) . "\x2f\163\x63\x61\x6c\145\x64\x2d\x31\x36\70\60\x2d\x2f" . basename($relPath); $this->files->deleteAtRelativePath($expectedThumbPath); $this->assertFileDoesNotExist($this->files->relativeToFullPath($expectedThumbPath)); $resp = $this->put("\x2f\151\155\x61\x67\145\163\57{$image->id}\x2f\162\x65\142\x75\x69\154\144\x2d\x74\150\165\x6d\x62\x6e\x61\151\154\163"); $resp->assertOk(); $this->assertFileExists($this->files->relativeToFullPath($expectedThumbPath)); $this->files->deleteAtRelativePath($relPath); } protected function getTestProfileImage() { $imageName = "\160\162\157\x66\151\154\145\56\160\x6e\147"; $relPath = $this->files->expectedImagePath("\165\x73\145\x72", $imageName); $this->files->deleteAtRelativePath($relPath); return $this->files->uploadedImage($imageName); } public function test_user_image_upload() { $editor = $this->users->editor(); $admin = $this->users->admin(); $this->actingAs($admin); $file = $this->getTestProfileImage(); $this->call("\120\125\x54", "\x2f\163\x65\164\x74\151\156\147\x73\57\165\x73\145\162\163\x2f" . $editor->id, array(), array(), array("\160\x72\x6f\146\151\x6c\145\x5f\151\155\x61\x67\145" => $file), array()); $this->assertDatabaseHas("\x69\155\141\x67\x65\163", array("\x74\x79\160\145" => "\165\x73\x65\x72", "\165\160\154\x6f\x61\144\x65\x64\137\x74\157" => $editor->id, "\143\x72\x65\141\x74\145\144\x5f\x62\x79" => $admin->id)); } public function test_user_images_deleted_on_user_deletion() { $editor = $this->users->editor(); $this->actingAs($editor); $file = $this->getTestProfileImage(); $this->call("\x50\x55\x54", "\x2f\x6d\171\x2d\x61\x63\x63\x6f\x75\x6e\164\x2f\160\162\x6f\146\151\154\x65", array(), array(), array("\x70\x72\x6f\146\151\x6c\145\x5f\151\155\141\x67\145" => $file), array()); $profileImages = Image::where("\x74\x79\160\x65", "\75", "\165\163\145\x72")->where("\143\x72\x65\141\x74\x65\144\137\x62\171", "\x3d", $editor->id)->get(); $this->assertTrue($profileImages->count() === 1, "\106\157\x75\x6e\x64\x20\160\162\157\x66\x69\154\x65\40\151\x6d\141\147\x65\x73\x20\144\157\145\x73\x20\156\x6f\x74\x20\x6d\x61\164\x63\x68\40\165\x70\x6c\157\141\144\x20\x63\157\x75\x6e\x74"); $imagePath = public_path($profileImages->first()->path); $this->assertTrue(file_exists($imagePath)); $userDelete = $this->asAdmin()->delete($editor->getEditUrl()); $userDelete->assertStatus(302); $this->assertDatabaseMissing("\x69\x6d\x61\147\145\x73", array("\164\171\160\145" => "\165\x73\x65\x72", "\143\x72\145\x61\164\145\x64\137\x62\x79" => $editor->id)); $this->assertDatabaseMissing("\151\x6d\x61\147\x65\x73", array("\164\x79\x70\145" => "\x75\x73\x65\162", "\x75\x70\x6c\x6f\141\144\x65\x64\x5f\x74\157" => $editor->id)); $this->assertFalse(file_exists($imagePath)); } public function test_deleted_unused_images() { $page = $this->entities->page(); $admin = $this->users->admin(); $this->actingAs($admin); $imageName = "\x75\x6e\x75\x73\x65\144\55\x69\x6d\141\147\145\56\160\156\147"; $relPath = $this->files->expectedImagePath("\x67\x61\x6c\x6c\x65\x72\x79", $imageName); $this->files->deleteAtRelativePath($relPath); $upload = $this->files->uploadGalleryImage($this, $imageName, $page->id); $upload->assertStatus(200); $image = Image::where("\x74\x79\160\x65", "\75", "\x67\141\154\154\x65\162\x79")->first(); $pageRepo = app(PageRepo::class); $pageRepo->update($page, array("\x6e\x61\x6d\145" => $page->name, "\150\164\155\154" => $page->html . "\74\x69\x6d\x67\40\x73\x72\143\75\42{$image->url}\x22\76", "\163\165\x6d\155\x61\162\171" => '')); $imageService = app(ImageService::class); $toDelete = $imageService->deleteUnusedImages(true, true); $this->assertCount(0, $toDelete); $pageRepo->update($page, array("\x6e\141\x6d\x65" => $page->name, "\150\x74\155\154" => "\74\x70\76\110\145\154\154\x6f\x3c\57\x70\76", "\x73\165\x6d\155\x61\162\x79" => '')); $imageService = app(ImageService::class); $toDelete = $imageService->deleteUnusedImages(true, true); $this->assertCount(0, $toDelete); $toDelete = $imageService->deleteUnusedImages(false, true); $this->assertCount(1, $toDelete); $page->revisions()->delete(); $toDelete = $imageService->deleteUnusedImages(true, true); $this->assertCount(1, $toDelete); $absPath = public_path($relPath); $this->assertTrue(file_exists($absPath), "\x45\170\x69\x73\x74\151\x6e\147\40\x75\160\x6c\157\141\x64\x65\x64\x20\146\x69\x6c\145\x20\141\164\40\160\x61\164\150\x20{$absPath}\x20\145\170\151\x73\x74\x73"); $toDelete = $imageService->deleteUnusedImages(true, false); $this->assertCount(1, $toDelete); $this->assertFalse(file_exists($absPath)); $this->files->deleteAtRelativePath($relPath); } }
Function Calls
None |
Stats
MD5 | acb386056e7b3f2da7b96f3a5d30d8b0 |
Eval Count | 0 |
Decode Time | 235 ms |