7224fbcc89
- Files within the storage/ path could be accessed via path traversal references in content, accessed upon HTML export. - This addresses this via two layers: - Scoped local flysystem filesystems down to the specific image & file folders since flysystem has built-in checking against the escaping of the root folder. - Added path normalization before enforcement of uploads/{images,file} prefix to prevent traversal at a path level. Thanks to @Haxatron via huntr.dev for discovery and reporting. Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
62 lines
2 KiB
PHP
62 lines
2 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Filesystem configuration options.
|
|
*
|
|
* Changes to these config files are not supported by BookStack and may break upon updates.
|
|
* Configuration should be altered via the `.env` file or environment variables.
|
|
* Do not edit this file unless you're happy to maintain any changes yourself.
|
|
*/
|
|
|
|
return [
|
|
|
|
// Default Filesystem Disk
|
|
// Options: local, local_secure, s3
|
|
'default' => env('STORAGE_TYPE', 'local'),
|
|
|
|
// Filesystem to use specifically for image uploads.
|
|
'images' => env('STORAGE_IMAGE_TYPE', env('STORAGE_TYPE', 'local')),
|
|
|
|
// Filesystem to use specifically for file attachments.
|
|
'attachments' => env('STORAGE_ATTACHMENT_TYPE', env('STORAGE_TYPE', 'local')),
|
|
|
|
// Storage URL
|
|
// This is the url to where the storage is located for when using an external
|
|
// file storage service, such as s3, to store publicly accessible assets.
|
|
'url' => env('STORAGE_URL', false),
|
|
|
|
// Default Cloud Filesystem Disk
|
|
'cloud' => 's3',
|
|
|
|
// Available filesystem disks
|
|
// Only local, local_secure & s3 are supported by BookStack
|
|
'disks' => [
|
|
|
|
'local' => [
|
|
'driver' => 'local',
|
|
'root' => public_path(),
|
|
],
|
|
|
|
'local_secure_attachments' => [
|
|
'driver' => 'local',
|
|
'root' => storage_path('uploads/files/'),
|
|
],
|
|
|
|
'local_secure_images' => [
|
|
'driver' => 'local',
|
|
'root' => storage_path('uploads/images/'),
|
|
],
|
|
|
|
's3' => [
|
|
'driver' => 's3',
|
|
'key' => env('STORAGE_S3_KEY', 'your-key'),
|
|
'secret' => env('STORAGE_S3_SECRET', 'your-secret'),
|
|
'region' => env('STORAGE_S3_REGION', 'your-region'),
|
|
'bucket' => env('STORAGE_S3_BUCKET', 'your-bucket'),
|
|
'endpoint' => env('STORAGE_S3_ENDPOINT', null),
|
|
'use_path_style_endpoint' => env('STORAGE_S3_ENDPOINT', null) !== null,
|
|
],
|
|
|
|
],
|
|
|
|
];
|