JEMBOT MAWOT Bypass Shell
<?php
/**
* Copyright since 2007 PrestaShop SA and Contributors
* PrestaShop is an International Registered Trademark & Property of PrestaShop SA
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.md.
* It is also available through the world-wide-web at this URL:
* https://opensource.org/licenses/OSL-3.0
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@prestashop.com so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to https://devdocs.prestashop.com/ for more information.
*
* @author PrestaShop SA and Contributors <contact@prestashop.com>
* @copyright Since 2007 PrestaShop SA and Contributors
* @license https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
*/
namespace PrestaShopBundle\Controller\Admin;
use PrestaShopException;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\BinaryFileResponse;
use Symfony\Component\HttpFoundation\File\Exception\FileNotFoundException;
use Symfony\Component\HttpFoundation\HeaderUtils;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
/*
* For security purpose, this controller allow you to securely display documents
*/
class SecuredFileReaderController extends AbstractController
{
private const allowedExtensions = [
'txt' => 'text/plain',
'rtf' => 'application/rtf',
'doc' => 'application/msword',
'docx' => 'application/msword',
'pdf' => 'application/pdf',
'zip' => 'multipart/x-zip',
'png' => 'image/png',
'jpeg' => 'image/jpeg',
'gif' => 'image/gif',
'jpg' => 'image/jpeg',
'webp' => 'image/webp',
];
private const allowedImageExtensions = [
'png' => 'image/png',
'jpeg' => 'image/jpeg',
'gif' => 'image/gif',
'jpg' => 'image/jpeg',
'webp' => 'image/webp',
];
/** @var string */
private $uploadDir;
/**
* @param string $uploadDir
*/
public function __construct(string $uploadDir)
{
$this->uploadDir = $uploadDir;
}
/**
* @throws PrestaShopException
*/
public function readUploadDocument(Request $request): Response
{
$fileName = basename($request->query->get('fileName'));
if (!$fileName) {
throw new PrestaShopException('No file name specified');
}
$fileExtensions = explode('.', $fileName);
if (count($fileExtensions) > 2) {
throw new PrestaShopException('Too many extensions for ' . $fileName);
} elseif (!array_key_exists($fileExtensions[1], self::allowedExtensions)) {
throw new PrestaShopException('Invalid extension for ' . $fileName);
}
// If file is not an image, the browser directly open it as attachment
if (!array_key_exists($fileExtensions[1], self::allowedImageExtensions)) {
$file = file_get_contents($this->uploadDir . $fileName);
$response = new Response($file);
$disposition = HeaderUtils::makeDisposition(
HeaderUtils::DISPOSITION_ATTACHMENT,
$fileName
);
$response->headers->set('Content-Disposition', $disposition);
$response->headers->set('X-Content-Type-Options', 'nosniff');
// else we retrieve image and we display it with appropriate header
} else {
try {
$response = new BinaryFileResponse($this->uploadDir . $fileName);
} catch (FileNotFoundException $e) {
throw new NotFoundHttpException();
}
$response->headers->set('Content-type', self::allowedExtensions[$fileExtensions[1]]);
}
return $response;
}
}
xxxxx1.0, XXX xxxx