Merge pull request #5634 from magento-tsg/2.3.6-develop-pr123

[TSG] Fixes for 2.3 (pr123) (2.3.6-develop)

Author: zakdma

app/code/Magento/ImportExport/Block/Adminhtml/Grid/Column/Renderer/Download.php

@@ -20,9 +20,9 @@ class Download extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\Text
      */
     public function _getValue(\Magento\Framework\DataObject $row)
     {
-        return '<p> ' . $row->getData('imported_file') .  '</p><a href="'
-        . $this->getUrl('*/*/download', ['filename' => $row->getData('imported_file')]) . '">'
-        . __('Download')
+        return '<p> ' . $this->escapeHtml($row->getData('imported_file')) .  '</p><a href="'
+        . $this->escapeUrl($this->getUrl('*/*/download', ['filename' => $row->getData('imported_file')])) . '">'
+        . $this->escapeHtml(__('Download'))
         . '</a>';
     }
 }

app/code/Magento/ImportExport/Block/Adminhtml/Grid/Column/Renderer/Error.php

@@ -22,9 +22,9 @@ public function _getValue(\Magento\Framework\DataObject $row)
     {
         $result = '';
         if ($row->getData('error_file') != '') {
-            $result = '<p> ' . $row->getData('error_file') .  '</p><a href="'
-                . $this->getUrl('*/*/download', ['filename' => $row->getData('error_file')]) . '">'
-                . __('Download')
+            $result = '<p> ' . $this->escapeHtml($row->getData('error_file')) .  '</p><a href="'
+                . $this->escapeUrl($this->getUrl('*/*/download', ['filename' => $row->getData('error_file')])) . '">'
+                . $this->escapeHtml(__('Download'))
                 . '</a>';
         }
         return $result;

app/code/Magento/ImportExport/Test/Unit/Block/Adminhtml/Grid/Column/Renderer/DownloadTest.php

@@ -5,12 +5,20 @@
  */
 namespace Magento\ImportExport\Test\Unit\Block\Adminhtml\Grid\Column\Renderer;
 
+use Magento\Backend\Block\Context;
+use Magento\Backend\Model\Url;
+use Magento\Framework\DataObject;
+use Magento\Framework\Escaper;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\ImportExport\Block\Adminhtml\Grid\Column\Renderer\Download;
 
+/**
+ * Test for \Magento\ImportExport\Block\Adminhtml\Grid\Column\Renderer\Download class.
+ */
 class DownloadTest extends \PHPUnit\Framework\TestCase
 {
     /**
-     * @var \Magento\Backend\Block\Context
+     * @var Context
      */
     protected $context;
 
@@ -20,24 +28,31 @@ class DownloadTest extends \PHPUnit\Framework\TestCase
     protected $objectManagerHelper;
 
     /**
-     * @var \Magento\ImportExport\Block\Adminhtml\Grid\Column\Renderer\Download
+     * @var Download
      */
     protected $download;
 
+    /**
+     * @var Escaper|\PHPUnit_Framework_MockObject_MockObjecti
+     */
+    private $escaperMock;
+
     /**
      * Set up
      */
     protected function setUp()
     {
-        $urlModel = $this->createPartialMock(\Magento\Backend\Model\Url::class, ['getUrl']);
+        $this->escaperMock = $this->createMock(Escaper::class);
+        $urlModel = $this->createPartialMock(Url::class, ['getUrl']);
         $urlModel->expects($this->any())->method('getUrl')->willReturn('url');
-        $this->context = $this->createPartialMock(\Magento\Backend\Block\Context::class, ['getUrlBuilder']);
+        $this->context = $this->createPartialMock(Context::class, ['getUrlBuilder', 'getEscaper']);
         $this->context->expects($this->any())->method('getUrlBuilder')->willReturn($urlModel);
+        $this->context->expects($this->any())->method('getEscaper')->willReturn($this->escaperMock);
         $data = [];
 
         $this->objectManagerHelper = new ObjectManagerHelper($this);
         $this->download = $this->objectManagerHelper->getObject(
-            \Magento\ImportExport\Block\Adminhtml\Grid\Column\Renderer\Download::class,
+            Download::class,
             [
                 'context' => $this->context,
                 'data' => $data
@@ -51,7 +66,16 @@ protected function setUp()
     public function testGetValue()
     {
         $data = ['imported_file' => 'file.csv'];
-        $row = new \Magento\Framework\DataObject($data);
+        $row = new DataObject($data);
+        $this->escaperMock->expects($this->at(0))
+            ->method('escapeHtml')
+            ->with('file.csv')
+            ->willReturn('file.csv');
+        $this->escaperMock->expects($this->once())->method('escapeUrl')->willReturn('url');
+        $this->escaperMock->expects($this->at(2))
+            ->method('escapeHtml')
+            ->with('Download')
+            ->willReturn('Download');
         $this->assertEquals('<p> file.csv</p><a href="url">Download</a>', $this->download->_getValue($row));
     }
 }

app/code/Magento/Theme/Model/Design/Backend/File.php

@@ -22,6 +22,8 @@
 use Magento\MediaStorage\Model\File\UploaderFactory;
 use Magento\Theme\Model\Design\Config\FileUploader\FileProcessor;
 use Magento\MediaStorage\Helper\File\Storage\Database;
+use Magento\Framework\Filesystem\Io\File as IoFile;
+use Magento\Framework\Filesystem\Directory\ReadFactory;
 
 /**
  * File Backend
@@ -45,6 +47,16 @@ class File extends BackendFile
      */
     private $databaseHelper;
 
+    /**
+     * @var IoFile|null
+     */
+    private $ioFile;
+
+    /**
+     * @var Read
+     */
+    private $tmpDirectory;
+
     /**
      * @param Context $context
      * @param Registry $registry
@@ -58,6 +70,8 @@ class File extends BackendFile
      * @param AbstractDb|null $resourceCollection
      * @param array $data
      * @param Database $databaseHelper
+     * @param IoFile|null $ioFile
+     * @param ReadFactory $tmpDirectory
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -72,7 +86,9 @@ public function __construct(
         AbstractResource $resource = null,
         AbstractDb $resourceCollection = null,
         array $data = [],
-        Database $databaseHelper = null
+        Database $databaseHelper = null,
+        IoFile $ioFile = null,
+        ReadFactory $tmpDirectory = null
     ) {
         parent::__construct(
             $context,
@@ -88,6 +104,12 @@ public function __construct(
         );
         $this->urlBuilder = $urlBuilder;
         $this->databaseHelper = $databaseHelper ?: ObjectManager::getInstance()->get(Database::class);
+        $this->ioFile = $ioFile ?: ObjectManager::getInstance()->get(IoFile::class);
+        /** @var ReadFactory $readFactory */
+        $readFactory = ObjectManager::getInstance()->get(ReadFactory::class);
+        $this->tmpDirectory = $tmpDirectory ?: $readFactory->create(
+            $this->_mediaDirectory->getAbsolutePath() .'tmp/' . FileProcessor::FILE_DIR
+        );
     }
 
     /**
@@ -108,11 +130,18 @@ public function beforeSave()
                 __('%1 does not contain field \'file\'', $this->getData('field_config/field'))
             );
         }
-        if (isset($value['exists'])) {
+
+        $extension = $this->ioFile->getPathInfo($file);
+        $fileExtension = is_array($extension) ? $extension['extension'] : '';
+        if (!$this->isAllowedExtension($fileExtension)) {
+            throw new LocalizedException(__("Invalid file provided."));
+        }
+
+        if ($this->getOrigData('value') === $file) {
             $this->setValue($file);
             return $this;
         }
-      
+
         //phpcs:ignore Magento2.Functions.DiscouragedFunction
         $this->updateMediaDirectory(basename($file), $value['url']);
 
@@ -126,8 +155,10 @@ public function afterLoad()
     {
         $value = $this->getValue();
         if ($value && !is_array($value)) {
-            //phpcs:ignore Magento2.Functions.DiscouragedFunction
-            $fileName = $this->_getUploadDir() . '/' . basename($value);
+            $fileName = $this->_mediaDirectory->getAbsolutePath(
+                //phpcs:ignore Magento2.Functions.DiscouragedFunction
+                $this->_getUploadDir() . DIRECTORY_SEPARATOR . basename($value)
+            );
             $fileInfo = null;
             if ($this->_mediaDirectory->isExist($fileName)) {
                 $stat = $this->_mediaDirectory->stat($fileName);
@@ -207,7 +238,7 @@ protected function getStoreMediaUrl($fileName)
      */
     protected function getTmpMediaPath($filename)
     {
-        return 'tmp/' . FileProcessor::FILE_DIR . '/' . $filename;
+        return $this->tmpDirectory->getAbsolutePath($this->tmpDirectory->getRelativePath($filename));
     }
 
     /**
@@ -259,10 +290,12 @@ private function getRelativeMediaPath(string $path): string
      */
     private function updateMediaDirectory(string $filename, string $url)
     {
-        $relativeMediaPath = $this->getRelativeMediaPath($url);
+        $absoluteMediaPath = $this->_mediaDirectory->getAbsolutePath($this->getRelativeMediaPath($url));
         $tmpMediaPath = $this->getTmpMediaPath($filename);
-        $mediaPath = $this->_mediaDirectory->isFile($relativeMediaPath) ? $relativeMediaPath : $tmpMediaPath;
-        $destinationMediaPath = $this->_getUploadDir() . '/' . $filename;
+        $mediaPath = $this->_mediaDirectory->isFile($absoluteMediaPath) ? $absoluteMediaPath : $tmpMediaPath;
+        $destinationMediaPath = $this->_mediaDirectory->getAbsolutePath(
+            $this->_getUploadDir() . DIRECTORY_SEPARATOR . $filename
+        );
 
         $result = $mediaPath === $destinationMediaPath;
         if (!$result) {
@@ -287,4 +320,19 @@ private function updateMediaDirectory(string $filename, string $url)
             $this->unsValue();
         }
     }
+
+    /**
+     * Check if specified extension is allowed.
+     *
+     * @param string $extension
+     * @return boolean
+     */
+    public function isAllowedExtension(string $extension): bool
+    {
+        if (empty($this->getAllowedExtensions())) {
+            return true;
+        }
+
+        return in_array(strtolower($extension), $this->getAllowedExtensions());
+    }
 }

app/code/Magento/Theme/Model/Design/Config/FileUploader/FileProcessor.php

@@ -78,7 +78,7 @@ public function __construct(
     }
 
     /**
-     * Save file to temp media directory
+     * Save file to temp media directory.
      *
      * @param  string $fileId
      *
@@ -92,40 +92,41 @@ public function saveToTmp($fileId)
         } catch (\Exception $e) {
             $result = ['error' => $e->getMessage(), 'errorcode' => $e->getCode()];
         }
+
         return $result;
     }
 
     /**
-     * Retrieve temp media url
+     * Retrieve temp media url.
      *
      * @param string $file
      * @return string
      */
     protected function getTmpMediaUrl($file)
     {
         return $this->storeManager->getStore()->getBaseUrl(UrlInterface::URL_TYPE_MEDIA)
-            . 'tmp/' . self::FILE_DIR . '/' . $this->prepareFile($file);
+            . 'tmp' . DIRECTORY_SEPARATOR . self::FILE_DIR . DIRECTORY_SEPARATOR . $this->prepareFile($file);
     }
 
     /**
-     * Prepare file
+     * Prepare file.
      *
      * @param string $file
      * @return string
      */
     protected function prepareFile($file)
     {
-        return ltrim(str_replace('\\', '/', $file), '/');
+        return ltrim(str_replace('\\', DIRECTORY_SEPARATOR, $file), DIRECTORY_SEPARATOR);
     }
 
     /**
-     * Retrieve absolute temp media path
+     * Retrieve absolute temp media path.
      *
      * @return string
      */
     protected function getAbsoluteTmpMediaPath()
     {
-        return $this->mediaDirectory->getAbsolutePath('tmp/' . self::FILE_DIR);
+        return $this->mediaDirectory->getAbsolutePath('tmp' . DIRECTORY_SEPARATOR . self::FILE_DIR);
     }
 
     /**