MAGETWO-21201: CLONE - Apply SUPEE-1805: Issue with disablign allow_url_fopen using the CMS WYSIWYG editor (patch)

Author: Yuri Kovsher

app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Directive.php

@@ -6,6 +6,7 @@
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg;
 
 use Magento\Backend\App\Action;
+use SebastianBergmann\Exporter\Exception;
 
 class Directive extends \Magento\Backend\App\Action
 {
@@ -37,15 +38,16 @@ public function execute()
     {
         $directive = $this->getRequest()->getParam('___directive');
         $directive = $this->urlDecoder->decode($directive);
-        $url = $this->_objectManager->create('Magento\Email\Model\Template\Filter')->filter($directive);
+        $imagePath = $this->_objectManager->create('Magento\Cms\Model\Template\Filter')->filter($directive);
         /** @var \Magento\Framework\Image\Adapter\AdapterInterface $image */
         $image = $this->_objectManager->get('Magento\Framework\Image\AdapterFactory')->create();
         $response = $this->getResponse();
         try {
-            $image->open($url);
+            $image->open($imagePath);
             $response->setHeader('Content-Type', $image->getMimeType())->setBody($image->getImage());
         } catch (\Exception $e) {
-            $image->open($this->_objectManager->get('Magento\Cms\Model\Wysiwyg\Config')->getSkinImagePlaceholderUrl());
+            $imagePath = $this->_objectManager->get('Magento\Cms\Model\Wysiwyg\Config')->getSkinImagePlaceholderPath();
+            $image->open($imagePath);
             $response->setHeader('Content-Type', $image->getMimeType())->setBody($image->getImage());
             $this->_objectManager->get('Psr\Log\LoggerInterface')->critical($e);
         }

app/code/Magento/Cms/Model/Template/Filter.php

@@ -27,4 +27,10 @@ public function setUseSessionInUrl($flag)
         $this->_useSessionInUrl = (bool)$flag;
         return $this;
     }
+
+    public function mediaDirective($construction)
+    {
+        $params = $this->_getIncludeParameters($construction[2]);
+        return $this->_storeManager->getStore()->getBaseMediaDir() . '/' . $params['url'];
+    }
 }

app/code/Magento/Cms/Model/Wysiwyg/Config.php

@@ -19,6 +19,11 @@ class Config extends \Magento\Framework\Object
      */
     const WYSIWYG_STATUS_CONFIG_PATH = 'cms/wysiwyg/enabled';
 
+    /**
+     *
+     */
+    const WYSIWYG_SKIN_IMAGE_PLACEHOLDER_ID = 'Magento_Cms::images/wysiwyg_skin_image.png';
+
     /**
      * Wysiwyg status hidden
      */
@@ -78,6 +83,11 @@ class Config extends \Magento\Framework\Object
      */
     protected $_backendUrl;
 
+    /**
+     * @var \Magento\Store\Model\StoreManagerInterface
+     */
+    protected $_storeManager;
+
     /**
      * @param \Magento\Backend\Model\UrlInterface $backendUrl
      * @param \Magento\Framework\Event\ManagerInterface $eventManager
@@ -86,6 +96,7 @@ class Config extends \Magento\Framework\Object
      * @param \Magento\Core\Model\Variable\Config $variableConfig
      * @param \Magento\Widget\Model\Widget\Config $widgetConfig
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
+     * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      * @param array $windowSize
      * @param array $data
      */
@@ -97,6 +108,7 @@ public function __construct(
         \Magento\Core\Model\Variable\Config $variableConfig,
         \Magento\Widget\Model\Widget\Config $widgetConfig,
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
+        \Magento\Store\Model\StoreManagerInterface $storeManager,
         array $windowSize = [],
         array $data = []
     ) {
@@ -108,6 +120,7 @@ public function __construct(
         $this->_variableConfig = $variableConfig;
         $this->_widgetConfig = $widgetConfig;
         $this->_windowSize = $windowSize;
+        $this->_storeManager = $storeManager;
         parent::__construct($data);
     }
 
@@ -189,7 +202,19 @@ public function getConfig($data = [])
      */
     public function getSkinImagePlaceholderUrl()
     {
-        return $this->_assetRepo->getUrl('Magento_Cms::images/wysiwyg_skin_image.png');
+        return $this->_assetRepo->getUrl(self::WYSIWYG_SKIN_IMAGE_PLACEHOLDER_ID);
+    }
+
+    /**
+     * Return path for skin images placeholder
+     *
+     * @return string
+     */
+    public function getSkinImagePlaceholderPath()
+    {
+        $staticPath = $this->_storeManager->getStore()->getBaseStaticDir();
+        $placeholderPath = $this->_assetRepo->createAsset(self::WYSIWYG_SKIN_IMAGE_PLACEHOLDER_ID)->getPath();
+        return $staticPath . '/' . $placeholderPath;
     }
 
     /**

app/code/Magento/Store/Model/Store.php

@@ -594,6 +594,26 @@ public function getBaseUrl($type = \Magento\Framework\UrlInterface::URL_TYPE_LIN
         return $this->_baseUrlCache[$cacheKey];
     }
 
+    /**
+     * Retrieve base media directory path
+     *
+     * @return string
+     */
+    public function getBaseMediaDir()
+    {
+        return $this->filesystem->getUri(DirectoryList::MEDIA);
+    }
+
+    /**
+     * Retrieve base static directory path
+     *
+     * @return string
+     */
+    public function getBaseStaticDir()
+    {
+        return $this->filesystem->getUri(DirectoryList::STATIC_VIEW);
+    }
+
     /**
      * Append script file name to url in case when server rewrites are disabled
      *

dev/tests/unit/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/DirectiveTest.php

@@ -0,0 +1,248 @@
+<?php
+/**
+ * {license_notice}
+ *
+ * @copyright   {copyright}
+ * @license     {license_link}
+ */
+namespace Magento\Cms\Controller\Adminhtml\Wysiwyg;
+
+/**
+ * @covers \Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive
+ */
+class DirectiveTest extends \PHPUnit_Framework_TestCase
+{
+    const IMAGE_PATH = 'pub/media/wysiwyg/image.jpg';
+
+    /**
+     * @var \Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive
+     */
+    protected $wysiwygDirective;
+
+    /**
+     * @var \Magento\Backend\App\Action\Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $actionContextMock;
+
+    /**
+     * @var \Magento\Framework\App\RequestInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $requestMock;
+
+    /**
+     * @var \Magento\Framework\Url\DecoderInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $urlDecoderMock;
+
+    /**
+     * @var \Magento\Framework\ObjectManagerInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $objectManagerMock;
+
+    /**
+     * @var \Magento\Cms\Model\Template\Filter|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $templateFilterMock;
+
+    /**
+     * @var \Magento\Framework\Image\AdapterFactory|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $imageAdapterFactoryMock;
+
+    /**
+     * @var \Magento\Framework\Image\Adapter\AdapterInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $imageAdapterMock;
+
+    /**
+     * @var \Magento\Framework\App\ResponseInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $responseMock;
+
+    /**
+     * @var \Magento\Cms\Model\Wysiwyg\Config|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $wysiwygConfigMock;
+
+    /**
+     * @var \Psr\Log\LoggerInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $loggerMock;
+
+    protected function setUp()
+    {
+        $this->actionContextMock = $this->getMockBuilder('Magento\Backend\App\Action\Context')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->requestMock = $this->getMockBuilder('Magento\Framework\App\RequestInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->urlDecoderMock = $this->getMockBuilder('Magento\Framework\Url\DecoderInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->objectManagerMock = $this->getMockBuilder('Magento\Framework\ObjectManagerInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->templateFilterMock = $this->getMockBuilder('Magento\Cms\Model\Template\Filter')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->imageAdapterFactoryMock = $this->getMockBuilder('Magento\Framework\Image\AdapterFactory')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->imageAdapterMock = $this->getMockBuilder('Magento\Framework\Image\Adapter\AdapterInterface')
+            ->disableOriginalConstructor()
+            ->setMethods(
+                [
+                    'getMimeType',
+                    'getColorAt',
+                    'getImage',
+                    'watermark',
+                    'refreshImageDimensions',
+                    'checkDependencies',
+                    'createPngFromString',
+                    'open',
+                    'resize',
+                    'crop',
+                    'save',
+                    'rotate'
+                ]
+            )
+            ->getMock();
+        $this->responseMock = $this->getMockBuilder('Magento\Framework\App\ResponseInterface')
+            ->disableOriginalConstructor()
+            ->setMethods(['setHeader', 'setBody', 'sendResponse'])
+            ->getMock();
+        $this->wysiwygConfigMock = $this->getMockBuilder('Magento\Cms\Model\Wysiwyg\Config')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->loggerMock = $this->getMockBuilder('Psr\Log\LoggerInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->actionContextMock->expects($this->any())
+            ->method('getRequest')
+            ->willReturn($this->requestMock);
+        $this->actionContextMock->expects($this->any())
+            ->method('getResponse')
+            ->willReturn($this->responseMock);
+        $this->actionContextMock->expects($this->any())
+            ->method('getObjectManager')
+            ->willReturn($this->objectManagerMock);
+
+        $objectManager = new \Magento\TestFramework\Helper\ObjectManager($this);
+        $this->wysiwygDirective = $objectManager->getObject(
+            'Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive',
+            [
+                'context' => $this->actionContextMock,
+                'urlDecoder' => $this->urlDecoderMock
+            ]
+        );
+    }
+
+    /**
+     * @covers \Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive::execute
+     */
+    public function testExecute()
+    {
+        $mimeType = 'image/jpeg';
+        $imageBody = 'abcdefghijklmnopqrstuvwxyz0123456789';
+        $this->prepareExecuteTest();
+
+        $this->imageAdapterMock->expects($this->once())
+            ->method('open')
+            ->with(self::IMAGE_PATH);
+        $this->imageAdapterMock->expects($this->once())
+            ->method('getMimeType')
+            ->willReturn($mimeType);
+        $this->responseMock->expects($this->once())
+            ->method('setHeader')
+            ->with('Content-Type', $mimeType)
+            ->willReturnSelf();
+        $this->imageAdapterMock->expects($this->once())
+            ->method('getImage')
+            ->willReturn($imageBody);
+        $this->responseMock->expects($this->once())
+            ->method('setBody')
+            ->with($imageBody)
+            ->willReturnSelf();
+
+        $this->wysiwygDirective->execute();
+    }
+
+    /**
+     * @covers \Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive::execute
+     */
+    public function testExecuteException()
+    {
+        $exception = new \Exception('epic fail');
+        $placeholderPath = 'pub/static/adminhtml/Magento/backend/en_US/Magento_Cms/images/wysiwyg_skin_image.png';
+        $mimeType = 'image/png';
+        $imageBody = '0123456789abcdefghijklmnopqrstuvwxyz';
+        $this->prepareExecuteTest();
+
+        $this->imageAdapterMock->expects($this->at(0))
+            ->method('open')
+            ->with(self::IMAGE_PATH)
+            ->willThrowException($exception);
+        $this->wysiwygConfigMock->expects($this->once())
+            ->method('getSkinImagePlaceholderPath')
+            ->willReturn($placeholderPath);
+        $this->imageAdapterMock->expects($this->at(1))
+            ->method('open')
+            ->with($placeholderPath);
+        $this->imageAdapterMock->expects($this->once())
+            ->method('getMimeType')
+            ->willReturn($mimeType);
+        $this->responseMock->expects($this->once())
+            ->method('setHeader')
+            ->with('Content-Type', $mimeType)
+            ->willReturnSelf();
+        $this->imageAdapterMock->expects($this->once())
+            ->method('getImage')
+            ->willReturn($imageBody);
+        $this->responseMock->expects($this->once())
+            ->method('setBody')
+            ->with($imageBody)
+            ->willReturnSelf();
+        $this->loggerMock->expects($this->once())
+            ->method('critical')
+            ->with($exception);
+
+        $this->wysiwygDirective->execute();
+    }
+
+    protected function prepareExecuteTest()
+    {
+        $directiveParam = 'e3ttZWRpYSB1cmw9Ind5c2l3eWcvYnVubnkuanBnIn19';
+        $directive = '{{media url="wysiwyg/image.jpg"}}';
+
+        $this->requestMock->expects($this->once())
+            ->method('getParam')
+            ->with('___directive')
+            ->willReturn($directiveParam);
+        $this->urlDecoderMock->expects($this->once())
+            ->method('decode')
+            ->with($directiveParam)
+            ->willReturn($directive);
+        $this->objectManagerMock->expects($this->once())
+            ->method('create')
+            ->with('Magento\Cms\Model\Template\Filter')
+            ->willReturn($this->templateFilterMock);
+        $this->templateFilterMock->expects($this->once())
+            ->method('filter')
+            ->with($directive)
+            ->willReturn(self::IMAGE_PATH);
+        $this->objectManagerMock->expects($this->any())
+            ->method('get')
+            ->willReturnMap(
+                [
+                    ['Magento\Framework\Image\AdapterFactory', $this->imageAdapterFactoryMock],
+                    ['Magento\Cms\Model\Wysiwyg\Config', $this->wysiwygConfigMock],
+                    ['Psr\Log\LoggerInterface', $this->loggerMock]
+                ]
+            );
+        $this->imageAdapterFactoryMock->expects($this->once())
+            ->method('create')
+            ->willReturn($this->imageAdapterMock);
+    }
+}