Access forbidden on BackpackElfinderController->showPopup() (browse Crud Field)

[filcius]

I am still using Backpack 5.0 and "backpack/pro" 1.1.3, but I doubt that would change anything.

After updating to filemanager 2.0.2, the Crud Field browse type popup generates a 403 http error. This error is generated by BackpackElfinderController->showPopup(), even if the mime type is not submitted in the query.

Is the mime type required in /elfinder/popup/image request? How do we configure it?

The Crud form:

The broken file browser popup:

The error in the log file : staging.ERROR: Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.

If the mime type is indeed optional, I temporarily changed my version of BackpackElfinderController->showPopup like this. Remember, this is for 2.0.2

  public function showPopup($input_id)
    {
        $mimes = request('mimes');

        if (isset($mimes)) {
            try {
                $mimes = Crypt::decrypt(urldecode(request('mimes')));
            } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
                Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
                abort(403, 'Unauthorized action.');
            }
            request()->merge(['mimes' => urlencode(serialize($mimes))]);
        }

        if (!empty($mimes)) {
            request()->merge(['mimes' => urlencode(serialize($mimes))]);
        } else {
            request()->merge(['mimes' => '']);
        }

        return $this->app['view']
            ->make($this->package . '::standalonepopup')
            ->with($this->getViewVars())
            ->with(compact('input_id'));
    }

[backpack-ai-bot]

🚨 Bot is not sure about this answer. Please verify. 🚨

Based on the information provided in the knowledge sources, I don't have enough specific details to fully address your issue with Backpack 5.0 and FileManager 2.0.2. However, I can provide some insights based on related issues and potential solutions:

1. Mime type filtering: The mime_types parameter is used in Backpack to filter file types in elFinder. There have been issues reported with mime type filtering in previous versions Github Issue #2480.

2. ElFinder configuration: Make sure your elFinder configuration is correct, especially the route and middleware settings. Check your config/elfinder.php file to ensure it matches the expected configuration Github Issue #575.

3. Middleware: Ensure that the correct middleware is applied to the elFinder routes. The default configuration should include both 'web' and 'admin' middleware Github Issue #575.

4. Route prefix: Verify that the elFinder route prefix is correctly set in your configuration. It should match your Backpack admin prefix Github Issue #191.

As for your temporary solution, while it might work, it's not recommended to modify core files directly. Instead, you could try to extend the BackpackElfinderController and override the showPopup method in your own controller.

If the issue persists, I recommend:

1. Checking for any JavaScript errors in the browser console when trying to open the popup.
2. Verifying that all necessary assets for elFinder are being loaded correctly.
3. Ensuring that your Backpack and FileManager versions are compatible.

If none of these suggestions help, you may want to open an issue on the Backpack GitHub repository with detailed steps to reproduce the problem, as the specific issue you're encountering is not directly addressed in the provided knowledge sources.

ℹ️ Please note our AI Bot does not reply to follow-ups, this will be the only AI answer in this thread. If the AI helped you find the answer, please mark it as answered or write details below so it can learn. Then close the conversation. If not, please give more information for when a human reads this. ℹ️

Relevant sources:

Github Issue (closed): [4.0][Bug] Multiple images upload to the File Manager
Github Issue (closed): addField type browse file restriction
Github Issue (closed): [Feature request] Allow mime_types filter on browse field
Github Issue (closed): [Bug] elFinder integration for CKEditor not working as documented
Github Issue (open): [Feature Request] Browser field: restrict to subdirectories
Github Issue (closed): Elfinder known vulnerabilities
[4.0][Bugfix] Elfinder mime type filter.
Github Issue (closed): Browse field type and wrong iframe URL to elFinder
Github Issue (closed): [Bug] export buttom and browse field
Github Issue (closed): Cant access elfinder after fresh install
Github Issue (closed): Elfinder working great in local but not in server
Github Issue (closed): Auth::check() returns false on ElFinder
Github Issue (closed): [4.0][BUG] Unable to prepare route for serialization.
[4.1-beta][Bug] Browse multiple field with latest elfinder

[filcius]

The bot seems to have useful insight, let me try it.

[filcius]

I tried some solutions without success. I keep my issue open. I did not see any mime_types option on the browse field type

$this->crud->addField(
    [ // image
      'label' => 'Photo (ex: 1600 x 635)',
      'name'  => "image",
      'type'  => 'browse',
      'mime_types' => ['image'],
      'tab'   => trans('cms.general-content'),
    ]
);

[JVariance]

We're also getting this error

[pxpm]

Please see the following thread for solutions: #59 (comment)

[filcius]

That worked perfectly, thank you. I agree that my issue is a duplicate and a secure solution has been found.

However, I wonder if allowing BackpackElfinderController->showPopup() to receive no mimes query would be secure and leave browse.blade.php untouched. I don't expect change, I just want to point it out for future considerations.

[pxpm]

Hello @filcius thanks for getting back after solving your issue 👍

To answer your question, it's not secure. Imagine the following scenario if we accepted no mimes in the query:
You setup the mimes only to jpg. Me, an attacker, remove the mimes from the query.
The showPopup endpoint would think you set up the field with no mimes, when in the reality it was the attacker who removed the mimes.

Ensuring that the mimes are always set and encrypted (even if they are empty) prevents an attacker from not sending them (manually removing them from the request) and accessing stuff he shouldn't be able to otherwise.

We wouldn't need this solution if the showPopup enpoint were part of an operation, as in that case we could just get the mimes from the field you setup. But at the time this package was developed we weren't using operations yet, so it works slightly different from our most recent packages.

Hope it clarifies the things a bit. 👍

Cheers

[filcius]

@pxpm Ok, the key argument is that the mime type is encrypted, even if empty. Correct me if I am wrong, does that mean that using the browse field with an empty mime, would cause my endpoint to be insecure?

[pxpm]

@pxpm Ok, the key argument is that the mime type is encrypted, even if empty. Correct me if I am wrong, does that mean that using the browse field with an empty mime, would cause my endpoint to be insecure?

Insecure only in the "viewing" process. So if you set the mime types to jpg, an user would only be able to see .jpg files. If they removed the mimes from the url they would be able to see any type of files that there are in the upload folder, eg, gifs or pngs.
For uploading files there is a different setting on the config options where you can allow/deny certain file types, and those are not exposed in the url like the "view mimes", so not vulnerable.

Hope it clarifies it. Let me know if you have other questions 👍

[diereysaa]

Sorry to revive this thread but I'm getting the same error as the OP:

When I try to open the gallery on my project, it shows a 403 with the main project window:

The HTTP request is
https://***/admin/elfinder/popup/featured_image_select and that returns a 403.

Also, we're seeing

[2025-01-15 19:55:34] staging.ERROR: Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.

on the logs.

We have the latest backpack versions on the server:

backpack/basset                               1.3.6   Dead-simple way to load CSS or JS assets only once per page, when using Laravel 10+.
backpack/crud                                 6.7.47  Quickly build admin interfaces using Laravel, Bootstrap and JavaScript.
backpack/filemanager                          3.0.10  Backpack admin interface for files and folder, using elFinder
backpack/generators                           4.0.7   Generate files for laravel projects
backpack/permissionmanager                    7.2.1   Users and permissions management interface for Laravel 5 using Backpack CRUD.
backpack/pro                                  2.2.31  Operations, Fields, Columns, Filters and Widgets for not-so-simple admin panels.
backpack/theme-coreuiv4                       1.1.5   UI for Backpack v6 that uses CoreUI v4 and Bootstrap v5.
backpack/theme-tabler                         1.2.17  UI for Backpack v6 that uses Tabler and Bootstrap v5.

Could it be a folders permission issue?

I think it's important to mention that our project is using laravel multidomain as well (gecche/laravel-multidomain 11.1)

Thanks in advance.

[filcius]

@diereysaa Did you try this? It worked for me.

#59 (comment)

[diereysaa]

Yep @filcius also I have all the packages updated.
Sorry to revive your post, mate, I've already opened a new one (with more info) here: #66

Thanks for replying.
Cheers!