groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-04-16 03:19:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Allow to disable the NoPrivateNetwork protection for attachment downloads via an env variable

Browse source
This commit is contained in:
Jan Böhmer 2026-04-05 23:14:18 +02:00
parent ad35ae6e9e
commit 7d8a7ab471
4 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.env
View file

@ -121,6 +121,10 @@ SAML_SP_PRIVATE_KEY="MIIE..."
# In demo mode things it is not possible for a user to change his password and his settings. # In demo mode things it is not possible for a user to change his password and his settings.
DEMO_MODE=0 DEMO_MODE=0
# When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file.
# This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network.
ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK=0
# Change this to true, if no url rewriting (like mod_rewrite for Apache) is available # Change this to true, if no url rewriting (like mod_rewrite for Apache) is available
# In that case all URL contains the index.php front controller in URL # In that case all URL contains the index.php front controller in URL
NO_URL_REWRITE_AVAILABLE=0 NO_URL_REWRITE_AVAILABLE=0

2
config/parameters.yaml
View file

@ -105,6 +105,8 @@ parameters:
env(DATABASE_EMULATE_NATURAL_SORT): 0 env(DATABASE_EMULATE_NATURAL_SORT): 0
env(ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK): 0
###################################################################################################################### ######################################################################################################################
# Bulk Info Provider Import Configuration # Bulk Info Provider Import Configuration
###################################################################################################################### ######################################################################################################################

1
docs/configuration.md
View file

@ -86,6 +86,7 @@ bundled with Part-DB. Set `DATABASE_MYSQL_SSL_VERIFY_CERT` if you want to accept
* `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default * `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default
when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments
locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1. locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1.
* `ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK` (default `0`): When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file. This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network.
* `ATTACHMENT_SHOW_HTML_FILES`: When enabled, user uploaded HTML attachments can be viewed directly in the browser. * `ATTACHMENT_SHOW_HTML_FILES`: When enabled, user uploaded HTML attachments can be viewed directly in the browser.
Many potential malicious functions are restricted, still this is a potential security risk and should only be enabled, Many potential malicious functions are restricted, still this is a potential security risk and should only be enabled,
if you trust the users who can upload files. When set to 0, HTML files are rendered as plain text. if you trust the users who can upload files. When set to 0, HTML files are rendered as plain text.

7
src/Services/Attachments/AttachmentSubmitHandler.php
View file

@ -44,6 +44,7 @@ use App\Exceptions\AttachmentDownloadException;
use App\Settings\SystemSettings\AttachmentsSettings; use App\Settings\SystemSettings\AttachmentsSettings;
use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile; use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile;
use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile; use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile;
use Symfony\Component\DependencyInjection\Attribute\Autowire;
use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient; use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
use const DIRECTORY_SEPARATOR; use const DIRECTORY_SEPARATOR;
use InvalidArgumentException; use InvalidArgumentException;
@ -77,6 +78,8 @@ class AttachmentSubmitHandler
protected FileTypeFilterTools $filterTools, protected FileTypeFilterTools $filterTools,
protected AttachmentsSettings $settings, protected AttachmentsSettings $settings,
protected readonly SVGSanitizer $SVGSanitizer, protected readonly SVGSanitizer $SVGSanitizer,
#[Autowire(env: "bool:ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK")]
private readonly bool $allow_local_network_downloads = false,
) )
{ {
//The mapping used to determine which folder will be used for an attachment type //The mapping used to determine which folder will be used for an attachment type
@ -97,7 +100,9 @@ class AttachmentSubmitHandler
LabelAttachment::class => 'label_profile', LabelAttachment::class => 'label_profile',
]; ];
$this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient); if (!$this->allow_local_network_downloads) {
$this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
}
} }
/** /**