Merge remote-tracking branch 'origin/MAGETWO-72013' into 2.3-develop-pr1

zakdma · zakdma · commit 653b9febce4b · 2018-03-07T14:44:49.000+02:00
diff --git a/app/code/Magento/Customer/Controller/Adminhtml/Index/Viewfile.php b/app/code/Magento/Customer/Controller/Adminhtml/Index/Viewfile.php
@@ -132,30 +132,15 @@ public function __construct(
      */
     public function execute()
     {
-        $file = null;
-        $plain = false;
-        if ($this->getRequest()->getParam('file')) {
-            // download file
-            $file = $this->urlDecoder->decode(
-                $this->getRequest()->getParam('file')
-            );
-        } elseif ($this->getRequest()->getParam('image')) {
-            // show plain image
-            $file = $this->urlDecoder->decode(
-                $this->getRequest()->getParam('image')
-            );
-            $plain = true;
-        } else {
-            throw new NotFoundException(__('Page not found.'));
-        }
+        list($file, $plain) = $this->getFileParams();
 
         /** @var \Magento\Framework\Filesystem $filesystem */
         $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
         $directory = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
         $fileName = CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER . '/' . ltrim($file, '/');
         $path = $directory->getAbsolutePath($fileName);
-        if (!$directory->isFile($fileName)
-            && !$this->_objectManager->get(\Magento\MediaStorage\Helper\File\Storage::class)->processStorageFile($path)
+        if (mb_strpos($path, '..') !== false || (!$directory->isFile($fileName)
+            && !$this->_objectManager->get(\Magento\MediaStorage\Helper\File\Storage::class)->processStorageFile($path))
         ) {
             throw new NotFoundException(__('Page not found.'));
         }
@@ -198,4 +183,32 @@ public function execute()
             );
         }
     }
+
+    /**
+     * Get parameters from request.
+     *
+     * @return array
+     * @throws NotFoundException
+     */
+    private function getFileParams()
+    {
+        $file = null;
+        $plain = false;
+        if ($this->getRequest()->getParam('file')) {
+            // download file
+            $file = $this->urlDecoder->decode(
+                $this->getRequest()->getParam('file')
+            );
+        } elseif ($this->getRequest()->getParam('image')) {
+            // show plain image
+            $file = $this->urlDecoder->decode(
+                $this->getRequest()->getParam('image')
+            );
+            $plain = true;
+        } else {
+            throw new NotFoundException(__('Page not found.'));
+        }
+
+        return [$file, $plain];
+    }
 }
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/ViewfileTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/ViewfileTest.php
@@ -206,4 +206,53 @@ public function testExecuteGetParamImage()
         );
         $this->assertSame($this->resultRawMock, $controller->execute());
     }
+
+    /**
+     * @expectedException \Magento\Framework\Exception\NotFoundException
+     * @expectedExceptionMessage Page not found.
+     */
+    public function testExecuteInvalidFile()
+    {
+        $file = '../../../app/etc/env.php';
+        $decodedFile = base64_encode($file);
+        $fileName = 'customer/' . $file;
+        $path = 'path';
+
+        $this->requestMock->expects($this->atLeastOnce())->method('getParam')->with('file')->willReturn($decodedFile);
+
+        $this->directoryMock->expects($this->once())->method('getAbsolutePath')->with($fileName)->willReturn($path);
+
+        $this->fileSystemMock->expects($this->once())->method('getDirectoryRead')
+            ->with(\Magento\Framework\App\Filesystem\DirectoryList::MEDIA)
+            ->willReturn($this->directoryMock);
+
+        $this->storage->expects($this->once())->method('processStorageFile')->with($path)->willReturn(false);
+
+        $this->objectManagerMock->expects($this->any())->method('get')
+            ->willReturnMap(
+                [
+                    [\Magento\Framework\Filesystem::class, $this->fileSystemMock],
+                    [\Magento\MediaStorage\Helper\File\Storage::class, $this->storage],
+                ]
+            );
+
+        $this->urlDecoderMock->expects($this->once())->method('decode')->with($decodedFile)->willReturn($file);
+        $fileFactoryMock = $this->createMock(
+            \Magento\Framework\App\Response\Http\FileFactory::class,
+            [],
+            [],
+            '',
+            false
+        );
+
+        $controller = $this->objectManager->getObject(
+            \Magento\Customer\Controller\Adminhtml\Index\Viewfile::class,
+            [
+                'context' => $this->contextMock,
+                'urlDecoder' => $this->urlDecoderMock,
+                'fileFactory' => $fileFactoryMock,
+            ]
+        );
+        $controller->execute();
+    }
 }
