From ca56205e452bb19252941a277ebd93ddc4229686 Mon Sep 17 00:00:00 2001
From: Mafftor <mafftor@gmail.com>
Date: Fri, 5 Jun 2020 16:33:37 +0300
Subject: [PATCH] Fixed download attack

---
 src/Controllers/DownloadController.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/Controllers/DownloadController.php b/src/Controllers/DownloadController.php
index 449cb2ea..b512694a 100644
--- a/src/Controllers/DownloadController.php
+++ b/src/Controllers/DownloadController.php
@@ -2,10 +2,24 @@
 
 namespace Mafftor\LaravelFileManager\Controllers;
 
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Facades\Log;
+
 class DownloadController extends LfmController
 {
     public function getDownload()
     {
-        return response()->download($this->lfm->setName(request('file'))->path('absolute'));
+        $filepath = $this->helper->getCategoryName() . request('working_dir') . '/' . request('file');
+
+        try {
+            if (Storage::disk($this->helper->config('disk'))->exists($filepath)) {
+                return response()->download($this->lfm->setName(request('file'))->path('absolute'));
+            }
+        } catch (\Exception $e) {
+            // Do not need to throw the exception
+        }
+
+        Log::error('[laravel-file-manager] File not found - ' . $filepath);
+        abort(404);
     }
 }