Skip to content

Add encrypt_mimes config option #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pxpm merged 4 commits into from
Mar 26, 2026
Merged

Add encrypt_mimes config option #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c84ff54
add option to disabled mimes encryption
pxpm Mar 25, 2026
ac58b32
Apply fixes from StyleCI
StyleCIBot Mar 25, 2026
930cd70
bc
pxpm Mar 25, 2026
73d0248
Merge branch 'fix-mime-type-tampering-protection' of https://github.c…
pxpm Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions config/elfinder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,17 @@
'root_options' => [

],

/*
|--------------------------------------------------------------------------
| Encrypt MIME Types
|--------------------------------------------------------------------------
|
| When enabled, MIME types configured on browse/browse_multiple fields are
| encrypted before being passed to the frontend, preventing CASUAL URL
| tampering. Note that this is a UI-level convenience only — NOT A SECURITY MEASURE.
| Determined users can always bypass client-side restrictions.
|
*/
'encrypt_mimes' => true,
];
5 changes: 4 additions & 1 deletion resources/views/fields/browse.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
{{-- browse server input --}}
@php
$field['attributes']['data-elfinder-trigger-url'] = $field['attributes']['data-elfinder-trigger-url'] ?? url(config('elfinder.route.prefix').'/popup/'.$field['name']);
$field['attributes']['data-elfinder-trigger-url'] .= '?mimes='.urlencode(Crypt::encrypt($field['mime_types'] ?? ''));
$mimeTypes = $field['mime_types'] ?? '';
$field['attributes']['data-elfinder-trigger-url'] .= '?mimes='.urlencode(
config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES)
);
Comment on lines 3 to +7
Copy link
Copy Markdown
Contributor

@jnoordsij jnoordsij Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally use the route helper here with array parameters, which I both prefer for readability and because it neatly handles URL parsing for both 'required' and 'optional' parameters.

$mimeTypes = $field['mime_types'] ?? '';
$field['attributes']['data-elfinder-trigger-url'] ??= route(
    'elfinder.popup',
    [
        'input_id' => $field['name'],
        'mimes' => config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES),
    ],
);

Copy link
Copy Markdown
Contributor Author

@pxpm pxpm Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree it's cleaner, but at this point we can't be sure if people are using elfinder.popup as their url, if they changed it or not.
since there is nothing "wrong" per se as it is now, I think I would rather keep it for now 👍

Copy link
Copy Markdown
Contributor

@jnoordsij jnoordsij Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be fair I would be slightly more worried about the actual url changing than the alias (alias comes from https://github.com/barryvdh/laravel-elfinder/blob/30700116a94828202b777da33a6d5c1ee7d004a6/src/ElfinderServiceProvider.php#L59). But both work fine, so perfectly fine to skip this.

Thanks for merging 🥂

@endphp
@include('crud::fields.inc.wrapper_start')
<label>{!! $field['label'] !!}</label>
Expand Down
5 changes: 4 additions & 1 deletion resources/views/fields/browse_multiple.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,10 @@
$field['wrapper']['data-init-function'] = $field['wrapper']['data-init-function'] ?? 'bpFieldInitBrowseMultipleElement';
$field['wrapper']['data-elfinder-trigger-url'] = $field['wrapper']['data-elfinder-trigger-url'] ?? url(config('elfinder.route.prefix').'/popup/'.$field['name'].'?multiple=1');

$field['wrapper']['data-elfinder-trigger-url'] .= '&mimes='.urlencode(Crypt::encrypt($field['mime_types'] ?? ''));
$mimeTypes = $field['mime_types'] ?? '';
Copy link
Copy Markdown
Contributor

@jnoordsij jnoordsij Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, but with multiple => 1 in the array

$field['wrapper']['data-elfinder-trigger-url'] .= '&mimes='.urlencode(
config('elfinder.encrypt_mimes', true) ? Crypt::encrypt($mimeTypes) : json_encode($mimeTypes, JSON_UNESCAPED_SLASHES)
);

if ($multiple) {
$field['wrapper']['data-multiple'] = "true";
Expand Down
7 changes: 5 additions & 2 deletions resources/views/standalonepopup.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@

<script type="text/javascript">
$(document).ready(function () {

let elfinderConfig = {
cssAutoLoad : false,
speed: 100,
Expand All @@ -50,7 +51,7 @@
url: '{{ route("elfinder.connector") }}', // connector URL
soundPath: '{{ Basset::getUrl(base_path("vendor/studio-42/elfinder/sounds")) }}',
resizable: false,
onlyMimes: @json(urldecode(json_decode(request('mimes'))), JSON_UNESCAPED_SLASHES),
onlyMimes: @json(json_decode(urldecode(request('mimes'))), JSON_UNESCAPED_SLASHES),
commandsOptions: {
getfile: {
multiple: {{ request('multiple') ? 'true' : 'false' }},
Expand All @@ -70,8 +71,10 @@
},
};
let elfinderOptions = window.parent.elfinderOptions ?? {};
@if(config('elfinder.encrypt_mimes', true))
delete elfinderOptions.onlyMimes;
@endif
var elf = $('#elfinder').elfinder({...elfinderConfig, ...elfinderOptions}).elfinder('instance');

document.getElementById('elfinder').style.opacity = 1;
});
</script>
Expand Down
24 changes: 14 additions & 10 deletions src/BackpackElfinderController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,20 @@ public function showPopup($input_id)
{
$mimes = request('mimes');

if (! isset($mimes)) {
Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
abort(403, 'Unauthorized action.');
}

try {
$mimes = Crypt::decrypt(urldecode(request('mimes')));
} catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
abort(403, 'Unauthorized action.');
if (config('elfinder.encrypt_mimes', true)) {
if (! isset($mimes)) {
Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
abort(403, 'Unauthorized action.');
}

try {
$mimes = Crypt::decrypt(urldecode($mimes));
} catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
abort(403, 'Unauthorized action.');
}
} else {
$mimes = $mimes ? json_decode(urldecode($mimes), true) : '';
}

if (! empty($mimes)) {
Expand Down
Loading