diff --git a/.env b/.env index 447ff5de..79bdcefe 100644 --- a/.env +++ b/.env @@ -121,6 +121,10 @@ SAML_SP_PRIVATE_KEY="MIIE..." # In demo mode things it is not possible for a user to change his password and his settings. DEMO_MODE=0 +# When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file. +# This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network. +ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK=0 + # Change this to true, if no url rewriting (like mod_rewrite for Apache) is available # In that case all URL contains the index.php front controller in URL NO_URL_REWRITE_AVAILABLE=0 diff --git a/config/parameters.yaml b/config/parameters.yaml index b79e2b88..b1aa5314 100644 --- a/config/parameters.yaml +++ b/config/parameters.yaml @@ -105,6 +105,8 @@ parameters: env(DATABASE_EMULATE_NATURAL_SORT): 0 + env(ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK): 0 + ###################################################################################################################### # Bulk Info Provider Import Configuration ###################################################################################################################### diff --git a/docs/configuration.md b/docs/configuration.md index a2f585a1..7ba716c6 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -86,6 +86,7 @@ bundled with Part-DB. Set `DATABASE_MYSQL_SSL_VERIFY_CERT` if you want to accept * `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1. +* `ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK` (default `0`): When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file. This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network. * `ATTACHMENT_SHOW_HTML_FILES`: When enabled, user uploaded HTML attachments can be viewed directly in the browser. Many potential malicious functions are restricted, still this is a potential security risk and should only be enabled, if you trust the users who can upload files. When set to 0, HTML files are rendered as plain text. diff --git a/src/Services/Attachments/AttachmentSubmitHandler.php b/src/Services/Attachments/AttachmentSubmitHandler.php index f83b7027..25f6142f 100644 --- a/src/Services/Attachments/AttachmentSubmitHandler.php +++ b/src/Services/Attachments/AttachmentSubmitHandler.php @@ -44,6 +44,7 @@ use App\Exceptions\AttachmentDownloadException; use App\Settings\SystemSettings\AttachmentsSettings; use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile; use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile; +use Symfony\Component\DependencyInjection\Attribute\Autowire; use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient; use const DIRECTORY_SEPARATOR; use InvalidArgumentException; @@ -77,6 +78,8 @@ class AttachmentSubmitHandler protected FileTypeFilterTools $filterTools, protected AttachmentsSettings $settings, protected readonly SVGSanitizer $SVGSanitizer, + #[Autowire(env: "bool:ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK")] + private readonly bool $allow_local_network_downloads = false, ) { //The mapping used to determine which folder will be used for an attachment type @@ -97,7 +100,9 @@ class AttachmentSubmitHandler LabelAttachment::class => 'label_profile', ]; - $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient); + if (!$this->allow_local_network_downloads) { + $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient); + } } /**