Merge remote-tracking branch 'origin/MAGETWO-95550' into 2.1.16-develop-pr60

zakdma · zakdma · commit 4198b96b64be · 2018-10-26T15:01:34.000+03:00
diff --git a/app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php b/app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php
@@ -82,7 +82,7 @@ public function execute()
                 $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
                 $dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
                 $filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);
-                if ($dir->isFile($dir->getRelativePath($filePath))) {
+                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('/^\\.htaccess$/', $file)) {
                     $this->getStorage()->deleteFile($filePath);
                 }
             }
diff --git a/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php b/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php
@@ -88,5 +88,64 @@ public static function tearDownAfterClass()
         if ($directory->isExist('wysiwyg')) {
             $directory->delete('wysiwyg');
         }
+        if ($directory->isExist('.htaccess')) {
+            $directory->delete('.htaccess');
+        }
+        if ($directory->isExist('thtaccess')) {
+            $directory->delete('thtaccess');
+        }
+    }
+
+    /**
+     * Creates file and tries to delete it via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @param  string $fileName
+     * @return void
+     */
+    private function createFileAndExecuteDelete($fileName)
+    {
+        $path = '/' . $fileName;
+        if (!$this->mediaDirectory->isFile($path)) {
+            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        }
+        $this->model->getRequest()->setMethod('POST')
+            ->setPostValue('files', [$this->imagesHelper->idEncode($fileName)]);
+        $this->model->getStorage()->getSession()->setCurrentPath($this->mediaDirectory->getAbsolutePath());
+        $this->model->execute();
+    }
+
+    /**
+     * Check that htaccess file couldn't be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testCouldNotDeleteHtaccess()
+    {
+        $fileName = '.htaccess';
+        $this->createFileAndExecuteDelete($fileName);
+        $this->assertTrue(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath($fileName)
+            )
+        );
+    }
+
+    /**
+     * Check that random file could be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testDeleteAnyFile()
+    {
+        $fileName = 'thtaccess';
+        $this->createFileAndExecuteDelete($fileName);
+        $this->assertFalse(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath($fileName)
+            )
+        );
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ public function execute()`
`82`	`82`	`$filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);`
`83`	`83`	`$dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);`
`84`	`84`	`$filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);`
`85`		`- if ($dir->isFile($dir->getRelativePath($filePath))) {`
	`85`	`+ if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('/^\\.htaccess$/', $file)) {`
`86`	`86`	`$this->getStorage()->deleteFile($filePath);`
`87`	`87`	`}`
`88`	`88`	`}`