assets return 403 with 3.7.1

[joepc74]

Bug description

Tenancy assets return 403.
This code:
<img src="{{ asset('logo.svg') }}" height="37" />
Works with 3.7, and with 2.7.1 return 403 Forbidden.

With favicon same issue:

Return 403.

Steps to reproduce

Blade code: <img src="{{ asset('logo.svg') }}" height="37" />
Direct url: http://localhost.test/tenancy/assets/logo.svg
Image dir: storage\tenantleon\app\public

Expected behavior

Show assets.

Laravel version

8.2

stancl/tenancy version

3.7.1

[stancl]

That would be related to this change: 4af70d3

What operating system are you on?

[joepc74]

That would be related to this change: 4af70d3

What operating system are you on?

Windows 11 with Xampp

[stancl]

The change we made uses realpath() to convert paths strings to absolute paths which we then validate as subdirectories of the storage_path().

The function also returns false if the path doesn't exist. I think that might be what's happening here, though in that case you'd likely get 404 before and get 403 now.

I tested how realpath() works on Windows and it seems to handle both \ and / just fine, so I'm not sure what part of the change would make this behave incorrectly on Windows.

[joepc74]

The change we made uses realpath() to convert paths strings to absolute paths which we then validate as subdirectories of the storage_path().

The function also returns false if the path doesn't exist. I think that might be what's happening here, though in that case you'd likely get 404 before and get 403 now.

I tested how realpath() works on Windows and it seems to handle both \ and / just fine, so I'm not sure what part of the change would make this behave incorrectly on Windows.

realpath("{$allowedRoot}/{$path}") ----> C:\xampp\htdocs\avata\storage\tenantleon\app\public\logo.svg
$allowedRoot ----> C:\xampp\htdocs\avata\storage/tenantleon\app/public

[stancl]

Ah, so it seems that the startsWith() fails since realpath() returns paths with \ while storage_path() returns the path with /. Thanks for providing those strings, I'll try to push a fix today

[stancl]

If you want, you can test if making this change would fix the problem for you:

- startsWith($allowedRoot))
+ startsWith(realpath($allowedRoot)))

[joepc74]

Works.

[ibarrasantiago]

I have the same issue and that change fixes it.

[xahmedtaha]

Any ETA on when this fix will be pushed? Should I make a pull request? @stancl

[stancl]

Just to confirm — is everyone who's experiencing this on Windows?

[xahmedtaha]

Yes, with the exact same issue because of the different slashes /, \

[stancl]

Cool, thanks for the feedback here. Working on a refactor that implements this in a better way. realpath() is a bit of a pain since it can return false when the path doesn't exist, so I'm adding more logic to handle every possible case, as well as test every possible case while always returning 404 (no more 403) to avoid leaking any information (e.g. the existence of a file outside the storage root).

[stancl]

Fixed in v3.7.2