From 4129da09a5a9fe8b4830031b6da12bf35f5519d0 Mon Sep 17 00:00:00 2001
From: apreiml <apreiml@strohwolke.at>
Date: Thu, 25 May 2017 19:41:43 +0200
Subject: [PATCH] fix pathToLogFile to only get files in log dir (#90)

Proper check the file parameter to disallow arbitrary file downloads
---
 src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php b/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
index 75e60d3..0344d3c 100644
--- a/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
+++ b/src/Rap2hpoutre/LaravelLogViewer/LaravelLogViewer.php
@@ -78,16 +78,14 @@ public static function setFile($file)
      */
     public static function pathToLogFile($file)
     {
-        $logsPath = storage_path('logs');
+        if (!starts_with('/', $file)) {
+            $logsPath = storage_path('logs');
 
-        if (app('files')->exists($file)) { // try the absolute path
-            return $file;
+            $file = $logsPath . '/' . $file;
         }
 
-        $file = $logsPath . '/' . $file;
-
         // check if requested file is really in the logs directory
-        if (dirname($file) !== $logsPath) {
+        if (dirname(realpath($file)) !== $logsPath) {
             throw new \Exception('No such log file');
         }