security fix: avoid renaming and moving inappropriate files

Author: streamtw

src/Controllers/ItemsController.php

@@ -2,6 +2,7 @@
 
 namespace UniSharp\LaravelFilemanager\Controllers;
 
+use Illuminate\Support\Facades\Storage;
 use UniSharp\LaravelFilemanager\Events\FileIsMoving;
 use UniSharp\LaravelFilemanager\Events\FileWasMoving;
 use UniSharp\LaravelFilemanager\Events\FolderIsMoving;
@@ -66,6 +67,12 @@ public function domove()
             $old_file = $this->lfm->pretty($item);
             $is_directory = $old_file->isDirectory();
 
+            $file = $this->lfm->setName($item);
+
+            if (!Storage::disk($this->helper->config('disk'))->exists($file->path('storage'))) {
+                abort(404);
+            }
+
             if ($old_file->hasThumb()) {
                 $new_file = $this->lfm->setName($item)->thumb()->dir($target);
                 if ($is_directory) {

src/Controllers/RenameController.php

@@ -2,10 +2,11 @@
 
 namespace UniSharp\LaravelFilemanager\Controllers;
 
-use UniSharp\LaravelFilemanager\Events\ImageIsRenaming;
-use UniSharp\LaravelFilemanager\Events\ImageWasRenamed;
+use Illuminate\Support\Facades\Storage;
 use UniSharp\LaravelFilemanager\Events\FolderIsRenaming;
 use UniSharp\LaravelFilemanager\Events\FolderWasRenamed;
+use UniSharp\LaravelFilemanager\Events\ImageIsRenaming;
+use UniSharp\LaravelFilemanager\Events\ImageWasRenamed;
 
 class RenameController extends LfmController
 {
@@ -14,6 +15,12 @@ public function getRename()
         $old_name = $this->helper->input('file');
         $new_name = $this->helper->input('new_name');
 
+        $file = $this->lfm->setName($old_name);
+
+        if (!Storage::disk($this->helper->config('disk'))->exists($file->path('storage'))) {
+            abort(404);
+        }
+
         $old_file = $this->lfm->pretty($old_name);
 
         $is_directory = $old_file->isDirectory();