fix pathToLogFile to only get files in log dir (#90)

Proper check the file parameter to disallow arbitrary file downloads
rap2hpoutre · May 25, 2017 · 4129da0 · 4129da0
1 parent 8da15ca
commit 4129da0
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php b/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
@@ -78,16 +78,14 @@ public static function setFile($file)
      */
     public static function pathToLogFile($file)
     {
-        $logsPath = storage_path('logs');
+        if (!starts_with('/', $file)) {
+            $logsPath = storage_path('logs');
 
-        if (app('files')->exists($file)) { // try the absolute path
-            return $file;
+            $file = $logsPath . '/' . $file;
         }
 
-        $file = $logsPath . '/' . $file;
-
         // check if requested file is really in the logs directory
-        if (dirname($file) !== $logsPath) {
+        if (dirname(realpath($file)) !== $logsPath) {
             throw new \Exception('No such log file');
         }