fix: add prevent direct access to files (logs, csv export, etc...)
This commit is contained in:
vnmedeiros
parent
76770ef19e
commit
9c039f50c4
|
|
@ -11,8 +11,7 @@ use Tainacan\Entities;
|
|||
*
|
||||
* */
|
||||
class REST_Background_Processes_Controller extends REST_Controller {
|
||||
private $collections_repository;
|
||||
private $collection;
|
||||
private $table = '';
|
||||
|
||||
protected function get_schema() {
|
||||
return "TODO:get_schema";
|
||||
|
|
@ -78,7 +77,6 @@ class REST_Background_Processes_Controller extends REST_Controller {
|
|||
),
|
||||
));
|
||||
register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
|
||||
|
||||
array(
|
||||
'methods' => \WP_REST_Server::READABLE,
|
||||
'callback' => array($this, 'get_item'),
|
||||
|
|
@ -87,7 +85,6 @@ class REST_Background_Processes_Controller extends REST_Controller {
|
|||
|
||||
));
|
||||
register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
|
||||
|
||||
array(
|
||||
'methods' => \WP_REST_Server::EDITABLE,
|
||||
'callback' => array($this, 'update_item'),
|
||||
|
|
@ -106,7 +103,6 @@ class REST_Background_Processes_Controller extends REST_Controller {
|
|||
|
||||
));
|
||||
register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
|
||||
|
||||
array(
|
||||
'methods' => \WP_REST_Server::DELETABLE,
|
||||
'callback' => array($this, 'delete_item'),
|
||||
|
|
@ -115,6 +111,14 @@ class REST_Background_Processes_Controller extends REST_Controller {
|
|||
),
|
||||
|
||||
));
|
||||
register_rest_route($this->namespace, '/' . $this->rest_base . '/file', array(
|
||||
array(
|
||||
'methods' => \WP_REST_Server::READABLE,
|
||||
'callback' => array($this, 'get_file'),
|
||||
'permission_callback' => array($this, 'bg_processes_permissions_check'),
|
||||
),
|
||||
|
||||
));
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -125,7 +129,7 @@ class REST_Background_Processes_Controller extends REST_Controller {
|
|||
* @return bool|\WP_Error
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function bg_processes_permissions_check($request){
|
||||
public function bg_processes_permissions_check($request) {
|
||||
// TODO
|
||||
return current_user_can('read');
|
||||
}
|
||||
|
|
@ -347,11 +351,32 @@ class REST_Background_Processes_Controller extends REST_Controller {
|
|||
if (!file_exists( $upload_url['basedir'] . '/tainacan/' . $filename )) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$upload_url = trailingslashit( $upload_url['baseurl'] );
|
||||
$logs_url = $upload_url . 'tainacan/' . $filename;
|
||||
|
||||
$logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename";
|
||||
return $logs_url;
|
||||
}
|
||||
|
||||
public function get_file( $request ) {
|
||||
if( !isset($request['guid']) ) {
|
||||
return new \WP_REST_Response([
|
||||
'error_message' => __('guid must be specified', 'tainacan' )
|
||||
], 400);
|
||||
}
|
||||
$guid = $request['guid'];
|
||||
$upload_url = wp_upload_dir();
|
||||
$path = $upload_url['basedir'] . '/tainacan/' . $guid;
|
||||
if ( file_exists( $path ) ) {
|
||||
$finfo = finfo_open(FILEINFO_MIME_TYPE);
|
||||
$mime_type = finfo_file($finfo, $path);
|
||||
$file_name = basename($path);
|
||||
http_response_code(200);
|
||||
header('Content-Description: File Transfer');
|
||||
header("Content-Disposition: attachment; filename=$file_name");
|
||||
header("Content-Type: $mime_type");
|
||||
header("Content-Length: " . filesize( $path ));
|
||||
\readfile($path);
|
||||
} else {
|
||||
return new \WP_REST_Response("file not found", 404, array('content-type' => 'text/html; charset=utf-8'));
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -689,7 +689,7 @@ abstract class Exporter {
|
|||
$upload_dir_info = wp_upload_dir();
|
||||
$prefix = $this->get_id();
|
||||
$upload_dir = trailingslashit( $upload_dir_info['basedir'] );
|
||||
$upload_url = trailingslashit( $upload_dir_info['baseurl'] );
|
||||
// $upload_url = trailingslashit( $upload_dir_info['baseurl'] );
|
||||
$exporter_folder = 'tainacan/exporter';
|
||||
$file_suffix = "{$exporter_folder}/{$prefix}_{$key}";
|
||||
|
||||
|
|
@ -699,7 +699,8 @@ abstract class Exporter {
|
|||
}
|
||||
}
|
||||
$file_name = "{$upload_dir}{$file_suffix}";
|
||||
$file_url = "{$upload_url}{$file_suffix}";
|
||||
$guid = "exporter/{$prefix}_{$key}";
|
||||
$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid";
|
||||
$this->output_files[$key] = [
|
||||
'filename' => $file_name,
|
||||
'url' => $file_url
|
||||
|
|
|
|||
|
|
@ -159,4 +159,30 @@ add_filter('wp_kses_allowed_html', function($allowedposttags, $context) {
|
|||
default:
|
||||
return $allowedposttags;
|
||||
}
|
||||
}, 10, 2);
|
||||
}, 10, 2);
|
||||
|
||||
|
||||
// Function to add rules to [upload_dir]/tainacan/.htaccess
|
||||
function tainacan_add_htaccess_rules() {
|
||||
$uploads_dir = wp_upload_dir(); // Uploads directory
|
||||
$htaccess_dir = trailingslashit($uploads_dir['basedir']) . 'tainacan'; // Path to the tainacan folder
|
||||
$htaccess_file = trailingslashit($htaccess_dir) . '.htaccess'; // Path to the .htaccess file
|
||||
|
||||
// If the folder doesn't exist, create it
|
||||
if (!file_exists($htaccess_dir)) {
|
||||
wp_mkdir_p($htaccess_dir);
|
||||
}
|
||||
|
||||
$marker = 'Tainacan [<wp_upload_dir()>/tainacan] rules'; // Marker name for identification
|
||||
$rules = array(
|
||||
'# Prevent direct access to files',
|
||||
'Order deny,allow',
|
||||
'Deny from all'
|
||||
); // Rules to be added
|
||||
|
||||
// Add rules to the .htaccess file
|
||||
insert_with_markers($htaccess_file, $marker, $rules);
|
||||
}
|
||||
|
||||
// Hook to execute the function when the plugin is activated
|
||||
register_activation_hook(__FILE__, 'tainacan_add_htaccess_rules');
|
||||
Loading…
Reference in New Issue