diff --git a/app/Http/Controllers/AdminController.php b/app/Http/Controllers/AdminController.php index 8dc6874d9..01ff95e41 100755 --- a/app/Http/Controllers/AdminController.php +++ b/app/Http/Controllers/AdminController.php @@ -571,11 +571,42 @@ public function editAC(request $request) //Saves .env config public function editENV(request $request) { + // Protect against malicious env content $config = $request->altConfig; - file_put_contents(".env", $config); + if (empty($config)) { + return back()->with("error", "The configuration is empty."); + } + + // Reject obviously unsafe content + if ( + str_contains($config, "with( + "error", + "This configuration contains disallowed content for security reasons.", + ); + } + + // Optional: enforce a size limit + if (strlen($config) > 10000) { + return back()->with("error", "The configuration is too large."); + } + + file_put_contents(base_path('.env'), $config); + + // Clear cached configuration + try { + \Artisan::call('config:clear'); + \Artisan::call('cache:clear'); + } catch (\Exception $e) { + } - return Redirect("/admin/config?alternative-config"); + return redirect("/admin/config?alternative-config") + ->with("success", "Configuration updated successfully."); } //Shows config file editor page