Skip to content

Commit 2d1dec5

Browse files
cparticacpartica
committed
Merge remote-tracking branch 'obsessive-owls/MAGETWO-95636' into 2.3.0-qwerty-bugs1
2 parents dbea8db + bcd2f80 commit 2d1dec5

File tree

2 files changed

+28
-19
lines changed

2 files changed

+28
-19
lines changed

app/code/Magento/CatalogImportExport/Model/Import/Uploader.php

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ class Uploader extends \Magento\MediaStorage\Model\File\Uploader
101101
* @param \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $validator
102102
* @param \Magento\Framework\Filesystem $filesystem
103103
* @param \Magento\Framework\Filesystem\File\ReadFactory $readFactory
104-
* @param null $filePath
104+
* @param string|null $filePath
105105
* @throws \Magento\Framework\Exception\LocalizedException
106106
*/
107107
public function __construct(
@@ -146,20 +146,25 @@ public function init()
146146
* @param string $fileName
147147
* @param bool $renameFileOff
148148
* @return array
149+
*
150+
* @throws \Magento\Framework\Exception\LocalizedException
149151
*/
150152
public function move($fileName, $renameFileOff = false)
151153
{
152154
if ($renameFileOff) {
153155
$this->setAllowRenameFiles(false);
154156
}
157+
158+
if ($this->getTmpDir()) {
159+
$filePath = $this->getTmpDir() . '/';
160+
} else {
161+
$filePath = '';
162+
}
163+
155164
if (preg_match('/\bhttps?:\/\//i', $fileName, $matches)) {
156165
$url = str_replace($matches[0], '', $fileName);
157-
158-
if ($matches[0] === $this->httpScheme) {
159-
$read = $this->_readFactory->create($url, DriverPool::HTTP);
160-
} else {
161-
$read = $this->_readFactory->create($url, DriverPool::HTTPS);
162-
}
166+
$driver = $matches[0] === $this->httpScheme ? DriverPool::HTTP : DriverPool::HTTPS;
167+
$read = $this->_readFactory->create($url, $driver);
163168

164169
//only use filename (for URI with query parameters)
165170
$parsedUrlPath = parse_url($url, PHP_URL_PATH);
@@ -170,11 +175,11 @@ public function move($fileName, $renameFileOff = false)
170175
}
171176
}
172177

173-
if ($this->getTmpDir()) {
174-
$filePath = $this->getTmpDir() . '/';
175-
} else {
176-
$filePath = '';
178+
$fileExtension = pathinfo($fileName, PATHINFO_EXTENSION);
179+
if ($fileExtension && !$this->checkAllowedExtension($fileExtension)) {
180+
throw new \Magento\Framework\Exception\LocalizedException(__('Disallowed file type.'));
177181
}
182+
178183
$fileName = preg_replace('/[^a-z0-9\._-]+/i', '', $fileName);
179184
$filePath = $this->_directory->getRelativePath($filePath . $fileName);
180185
$this->_directory->writeFile(
@@ -183,11 +188,6 @@ public function move($fileName, $renameFileOff = false)
183188
);
184189
}
185190

186-
if ($this->getTmpDir()) {
187-
$filePath = $this->getTmpDir() . '/';
188-
} else {
189-
$filePath = '';
190-
}
191191
$filePath = $this->_directory->getRelativePath($filePath . $fileName);
192192
$this->_setUploadFile($filePath);
193193
$destDir = $this->_directory->getAbsolutePath($this->getDestDir());
@@ -353,7 +353,7 @@ protected function _moveFile($tmpPath, $destPath)
353353
}
354354

355355
/**
356-
* {@inheritdoc}
356+
* @inheritdoc
357357
*/
358358
protected function chmod($file)
359359
{

app/code/Magento/CatalogImportExport/Test/Unit/Model/Import/UploaderTest.php

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -93,14 +93,14 @@ protected function setUp()
9393
$this->filesystem,
9494
$this->readFactory,
9595
])
96-
->setMethods(['_setUploadFile', 'save', 'getTmpDir'])
96+
->setMethods(['_setUploadFile', 'save', 'getTmpDir', 'checkAllowedExtension'])
9797
->getMock();
9898
}
9999

100100
/**
101101
* @dataProvider moveFileUrlDataProvider
102102
*/
103-
public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName)
103+
public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName, $checkAllowedExtension)
104104
{
105105
$destDir = 'var/dest/dir';
106106
$expectedRelativeFilePath = $expectedFileName;
@@ -128,6 +128,9 @@ public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName)
128128
$this->uploader->expects($this->once())->method('_setUploadFile')->will($this->returnSelf());
129129
$this->uploader->expects($this->once())->method('save')->with($destDir . '/' . $expectedFileName)
130130
->willReturn(['name' => $expectedFileName, 'path' => 'absPath']);
131+
$this->uploader->expects($this->exactly($checkAllowedExtension))
132+
->method('checkAllowedExtension')
133+
->willReturn(true);
131134

132135
$this->uploader->setDestDir($destDir);
133136
$result = $this->uploader->move($fileUrl);
@@ -224,31 +227,37 @@ public function moveFileUrlDataProvider()
224227
'$fileUrl' => 'http://test_uploader_file',
225228
'$expectedHost' => 'test_uploader_file',
226229
'$expectedFileName' => 'test_uploader_file',
230+
'$checkAllowedExtension' => 0
227231
],
228232
[
229233
'$fileUrl' => 'https://!:^&`;file',
230234
'$expectedHost' => '!:^&`;file',
231235
'$expectedFileName' => 'file',
236+
'$checkAllowedExtension' => 0
232237
],
233238
[
234239
'$fileUrl' => 'https://www.google.com/image.jpg',
235240
'$expectedHost' => 'www.google.com/image.jpg',
236241
'$expectedFileName' => 'image.jpg',
242+
'$checkAllowedExtension' => 1
237243
],
238244
[
239245
'$fileUrl' => 'https://www.google.com/image.jpg?param=1',
240246
'$expectedHost' => 'www.google.com/image.jpg?param=1',
241247
'$expectedFileName' => 'image.jpg',
248+
'$checkAllowedExtension' => 1
242249
],
243250
[
244251
'$fileUrl' => 'https://www.google.com/image.jpg?param=1&param=2',
245252
'$expectedHost' => 'www.google.com/image.jpg?param=1&param=2',
246253
'$expectedFileName' => 'image.jpg',
254+
'$checkAllowedExtension' => 1
247255
],
248256
[
249257
'$fileUrl' => 'http://www.google.com/image.jpg?param=1&param=2',
250258
'$expectedHost' => 'www.google.com/image.jpg?param=1&param=2',
251259
'$expectedFileName' => 'image.jpg',
260+
'$checkAllowedExtension' => 1
252261
],
253262
];
254263
}

0 commit comments

Comments
 (0)