TheCloneArmy/crater
1
0
Fork 1
mirror of https://github.com/crater-invoice/crater.git synced 2025-10-30 21:21:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

Unrestricted php file upload fix (#681)

Browse Source 
https://huntr.dev/bounties/d7453360-baca-4e56-985f-481275fa38db/
This commit is contained in:
theWorstComrade
2021-12-29 13:33:20 +01:00
committed by GitHub
parent c9d0a63854
commit cdc913d16c
7 changed files with 176 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Controllers/V1/Admin/Expense/ExpensesController.php
View File

@ -39,7 +39,7 @@ class ExpensesController extends Controller
/**
* Store a newly created resource in storage.
*
* @param \Illuminate\Http\Request $request
* @param \Crater\Http\Requests\ExpenseRequest $request
* @return \Illuminate\Http\JsonResponse
*/
public function store(ExpenseRequest $request)
@ -67,7 +67,7 @@ class ExpensesController extends Controller
/**
* Update the specified resource in storage.
*
* @param \Illuminate\Http\Request $request
* @param \Crater\Http\Requests\ExpenseRequest $request
* @param \Crater\Models\Expense $expense
* @return \Illuminate\Http\JsonResponse
*/

5
app/Http/Controllers/V1/Admin/Expense/UploadReceiptController.php
View File

@ -5,17 +5,18 @@ namespace Crater\Http\Controllers\V1\Admin\Expense;
use Crater\Http\Controllers\Controller;
use Crater\Models\Expense;
use Illuminate\Http\Request;
use Crater\Http\Requests\ExpenseRequest;
class UploadReceiptController extends Controller
{
/**
* Upload the expense receipts to storage.
*
* @param \Illuminate\Http\Request $request
* @param \Crater\Http\Requests\ExpenseRequest $request
* @param Expense $expense
* @return \Illuminate\Http\JsonResponse
*/
public function __invoke(Request $request, Expense $expense)
public function __invoke(ExpenseRequest $request, Expense $expense)
{
$this->authorize('update', $expense);

10
app/Http/Controllers/V1/Admin/Settings/CompanyController.php
View File

@ -9,6 +9,8 @@ use Crater\Http\Resources\CompanyResource;
use Crater\Http\Resources\UserResource;
use Crater\Models\Company;
use Illuminate\Http\Request;
use Crater\Http\Requests\AvatarRequest;
use Crater\Http\Requests\CompanyLogoRequest;
class CompanyController extends Controller
{
@ -58,10 +60,10 @@ class CompanyController extends Controller
/**
* Upload the company logo to storage.
*
* @param \Illuminate\Http\Request $request
* @param \Crater\Http\Requests\CompanyLogoRequest $request
* @return \Illuminate\Http\JsonResponse
*/
public function uploadCompanyLogo(Request $request)
public function uploadCompanyLogo(CompanyLogoRequest $request)
{
$company = Company::find($request->header('company'));
@ -89,10 +91,10 @@ class CompanyController extends Controller
/**
* Upload the Admin Avatar to public storage.
*
* @param \Illuminate\Http\Request $request
* @param \Crater\Http\Requests\AvatarRequest $request
* @return \Illuminate\Http\JsonResponse
*/
public function uploadAvatar(Request $request)
public function uploadAvatar(AvatarRequest $request)
{
$user = auth()->user();