magento
diff --git a/‎app/code/Magento/ImportExport/Controller/Adminhtml/Import/Validate.php
Lines changed: 1 addition & 9 deletions b/‎app/code/Magento/ImportExport/Controller/Adminhtml/Import/Validate.php
Lines changed: 1 addition & 9 deletions
diff --git a/‎app/code/Magento/ImportExport/Model/Import.php
Lines changed: 49 additions & 15 deletions b/‎app/code/Magento/ImportExport/Model/Import.php
Lines changed: 49 additions & 15 deletions
diff --git a/‎app/code/Magento/ImportExport/Model/Import/Source/Zip.php
Lines changed: 11 additions & 4 deletions b/‎app/code/Magento/ImportExport/Model/Import/Source/Zip.php
Lines changed: 11 additions & 4 deletions
diff --git a/‎app/code/Magento/Store/etc/config.xml
Lines changed: 2 additions & 0 deletions b/‎app/code/Magento/Store/etc/config.xml
Lines changed: 2 additions & 0 deletions
diff --git a/‎app/code/Magento/Swagger/Block/Index.php
Lines changed: 2 additions & 1 deletion b/‎app/code/Magento/Swagger/Block/Index.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/code/Magento/Swagger/view/frontend/templates/swagger-ui/index.phtml
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Swagger/view/frontend/templates/swagger-ui/index.phtml
Lines changed: 1 addition & 1 deletion
diff --git a/‎dev/tests/integration/testsuite/Magento/Framework/Code/File/Validator/NotProtectedExtensionTest.php
Lines changed: 42 additions & 0 deletions b/‎dev/tests/integration/testsuite/Magento/Framework/Code/File/Validator/NotProtectedExtensionTest.php
Lines changed: 42 additions & 0 deletions
diff --git a/‎dev/tests/integration/testsuite/Magento/ImportExport/Controller/Adminhtml/Import/ValidateTest.php
Lines changed: 23 additions & 10 deletions b/‎dev/tests/integration/testsuite/Magento/ImportExport/Controller/Adminhtml/Import/ValidateTest.php
Lines changed: 23 additions & 10 deletions
diff --git a/‎dev/tests/integration/testsuite/Magento/ImportExport/Controller/Adminhtml/Import/_files/catalog_product.zip
955 Bytes b/‎dev/tests/integration/testsuite/Magento/ImportExport/Controller/Adminhtml/Import/_files/catalog_product.zip
955 Bytes
@@ -9,9 +9,6 @@
 use Magento\ImportExport\Model\Import;
 use Magento\ImportExport\Block\Adminhtml\Import\Frame\Result;
 use Magento\Framework\Controller\ResultFactory;
-use Magento\Framework\App\Filesystem\DirectoryList;
-use Magento\ImportExport\Model\Import\Adapter as ImportAdapter;
-use Magento\ImportExport\Model\Import\ErrorProcessing\ProcessingErrorAggregatorInterface;
 
 class Validate extends ImportResultController
 {
@@ -42,12 +39,7 @@ public function execute()
             /** @var $import \Magento\ImportExport\Model\Import */
             $import = $this->getImport()->setData($data);
             try {
-                $source = ImportAdapter::findAdapterFor(
-                    $import->uploadSource(),
-                    $this->_objectManager->create('Magento\Framework\Filesystem')
-                        ->getDirectoryWrite(DirectoryList::ROOT),
-                    $data[$import::FIELD_FIELD_SEPARATOR]
-                );
+                $source = $import->uploadFileAndGetSource();
                 $this->processValidationResult($import->validateSource($source), $resultBlock);
             } catch (\Magento\Framework\Exception\LocalizedException $e) {
                 $resultBlock->addError($e->getMessage());
 
@@ -10,6 +10,7 @@
 
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\HTTP\Adapter\FileTransferFactory;
+use Magento\Framework\Stdlib\DateTime\DateTime;
 use Magento\ImportExport\Model\Import\ErrorProcessing\ProcessingError;
 use Magento\ImportExport\Model\Import\ErrorProcessing\ProcessingErrorAggregatorInterface;
 
@@ -78,6 +79,11 @@ class Import extends \Magento\ImportExport\Model\AbstractModel
      */
     const FIELD_FIELD_MULTIPLE_VALUE_SEPARATOR = '_import_multiple_value_separator';
 
+    /**
+     * Import empty attribute value constant.
+     */
+    const FIELD_EMPTY_ATTRIBUTE_VALUE_CONSTANT = '_import_empty_attribute_value_constant';
+
     /**
      * Allow multiple values wrapping in double quotes for additional attributes.
      */
@@ -90,6 +96,11 @@ class Import extends \Magento\ImportExport\Model\AbstractModel
      */
     const DEFAULT_GLOBAL_MULTI_VALUE_SEPARATOR = ',';
 
+    /**
+     * default empty attribute value constant
+     */
+    const DEFAULT_EMPTY_ATTRIBUTE_VALUE_CONSTANT = '__EMPTY__VALUE__';
+
     /**#@+
      * Import constants
      */
@@ -162,6 +173,16 @@ class Import extends \Magento\ImportExport\Model\AbstractModel
      */
     protected $_filesystem;
 
+    /**
+     * @var History
+     */
+    private $importHistoryModel;
+
+    /**
+     * @var DateTime
+     */
+    private $localeDate;
+
     /**
      * @param \Psr\Log\LoggerInterface $logger
      * @param \Magento\Framework\Filesystem $filesystem
@@ -176,7 +197,7 @@ class Import extends \Magento\ImportExport\Model\AbstractModel
      * @param Source\Import\Behavior\Factory $behaviorFactory
      * @param \Magento\Framework\Indexer\IndexerRegistry $indexerRegistry
      * @param History $importHistoryModel
-     * @param \Magento\Framework\Stdlib\DateTime\DateTime
+     * @param DateTime $localeDate
      * @param array $data
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -194,7 +215,7 @@ public function __construct(
         \Magento\ImportExport\Model\Source\Import\Behavior\Factory $behaviorFactory,
         \Magento\Framework\Indexer\IndexerRegistry $indexerRegistry,
         \Magento\ImportExport\Model\History $importHistoryModel,
-        \Magento\Framework\Stdlib\DateTime\DateTime $localeDate,
+        DateTime $localeDate,
         array $data = []
     ) {
         $this->_importExportData = $importExportData;
@@ -221,7 +242,6 @@ public function __construct(
      */
     protected function _getEntityAdapter()
     {
-
         if (!$this->_entityAdapter) {
             $entities = $this->_importConfig->getEntities();
             if (isset($entities[$this->getEntity()])) {
@@ -239,8 +259,8 @@ protected function _getEntityAdapter()
                     throw new \Magento\Framework\Exception\LocalizedException(
                         __(
                             'The entity adapter object must be an instance of %1 or %2.',
-                            'Magento\ImportExport\Model\Import\Entity\AbstractEntity',
-                            'Magento\ImportExport\Model\Import\AbstractEntity'
+                            \Magento\ImportExport\Model\Import\Entity\AbstractEntity::class,
+                            \Magento\ImportExport\Model\Import\AbstractEntity::class
                         )
                     );
                 }
@@ -435,7 +455,6 @@ public function importSource()
             $this->importHistoryModel->invalidateReport($this);
         }
 
-
         return $result;
     }
 
@@ -537,14 +556,28 @@ public function uploadSource()
         }
         $this->_removeBom($sourceFile);
         $this->createHistoryReport($sourceFileRelative, $entity, $extension, $result);
-        // trying to create source adapter for file and catch possible exception to be convinced in its adequacy
+
+        return $sourceFile;
+    }
+
+    /**
+     * Move uploaded file and provide source instance.
+     *
+     * @return Import\AbstractSource
+     * @throws \Magento\Framework\Exception\FileSystemException
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    public function uploadFileAndGetSource()
+    {
+        $sourceFile = $this->uploadSource();
         try {
-            $this->_getSourceAdapter($sourceFile);
+            $source = $this->_getSourceAdapter($sourceFile);
         } catch (\Exception $e) {
-            $this->_varDirectory->delete($sourceFileRelative);
+            $this->_varDirectory->delete($this->_varDirectory->getRelativePath($sourceFile));
             throw new \Magento\Framework\Exception\LocalizedException(__($e->getMessage()));
         }
-        return $sourceFile;
+
+        return $source;
     }
 
     /**
@@ -708,7 +741,9 @@ public function isReportEntityType($entity = null)
                 try {
                     $result = $this->_getEntityAdapter()->isNeedToLogInHistory();
                 } catch (\Exception $e) {
-                    throw new \Magento\Framework\Exception\LocalizedException(__('Please enter a correct entity model'));
+                    throw new \Magento\Framework\Exception\LocalizedException(
+                        __('Please enter a correct entity model')
+                    );
                 }
             } else {
                 throw new \Magento\Framework\Exception\LocalizedException(__('Please enter a correct entity model'));
@@ -720,11 +755,11 @@ public function isReportEntityType($entity = null)
     }
 
     /**
-     * Create history report
+     * Create history report.
      *
+     * @param string $sourceFileRelative
      * @param string $entity
      * @param string $extension
-     * @param string $sourceFileRelative
      * @param array $result
      * @return $this
      * @throws \Magento\Framework\Exception\LocalizedException
@@ -737,7 +772,7 @@ protected function createHistoryReport($sourceFileRelative, $entity, $extension
                 $sourceFileRelative = $this->_varDirectory->getRelativePath(self::IMPORT_DIR . $fileName);
             } elseif (isset($result['name'])) {
                 $fileName = $result['name'];
-            } elseif (!is_null($extension)) {
+            } elseif ($extension !== null) {
                 $fileName = $entity . $extension;
             } else {
                 $fileName = basename($sourceFileRelative);
@@ -759,7 +794,6 @@ protected function createHistoryReport($sourceFileRelative, $entity, $extension
         return $this;
     }
 
-
     /**
      * Get count of created items
      *
 
@@ -5,6 +5,8 @@
  */
 namespace Magento\ImportExport\Model\Import\Source;
 
+use Magento\Framework\Exception\ValidatorException;
+
 /**
  * Zip import adapter.
  */
@@ -14,17 +16,22 @@ class Zip extends Csv
      * @param string $file
      * @param \Magento\Framework\Filesystem\Directory\Write $directory
      * @param string $options
+     * @throws \Magento\Framework\Exception\ValidatorException
      */
     public function __construct(
         $file,
         \Magento\Framework\Filesystem\Directory\Write $directory,
         $options
     ) {
         $zip = new \Magento\Framework\Archive\Zip();
-        $file = $zip->unpack(
-            $directory->getRelativePath($file),
-            $directory->getRelativePath(preg_replace('/\.zip$/i', '.csv', $file))
+        $csvFile = $zip->unpack(
+            $file,
+            preg_replace('/\.zip$/i', '.csv', $file)
         );
-        parent::__construct($file, $directory, $options);
+        if (!$csvFile) {
+            throw new ValidatorException(__('Sorry, but the data is invalid or the file is not uploaded.'));
+        }
+        $directory->delete($directory->getRelativePath($file));
+        parent::__construct($csvFile, $directory, $options);
     }
 }
@@ -130,6 +130,8 @@
                     <html>html</html>
                     <phtml>phtml</phtml>
                     <shtml>shtml</shtml>
+                    <phpt>phpt</phpt>
+                    <pht>pht</pht>
                 </protected_extensions>
                 <public_files_valid_paths>
                     <protected>
 
@@ -11,6 +11,7 @@
  * Class Index
  *
  * @api
+ * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
  */
 class Index extends Template
 {
@@ -19,7 +20,7 @@ class Index extends Template
      */
     private function getParamStore()
     {
-        return $this->getRequest()->getParam('store') ?: 'all';
+        return $this->stripTags($this->getRequest()->getParam('store')) ?: 'all';
     }
 
     /**
 
@@ -24,7 +24,7 @@ $schemaUrl = $block->getSchemaUrl();
     <div class="swagger-ui-wrap">
         <a id="logo" href="http://swagger.io">swagger</a>
         <form id='api_selector'>
-            <input id="input_baseUrl" type="hidden" value="<?php /* @escapeNotVerified */ echo $schemaUrl ?>"/>
+            <input id="input_baseUrl" type="hidden" value="<?php echo $block->escapeUrl($schemaUrl) ?>"/>
             <div class='input'><input placeholder="api_key" id="input_apiKey" name="apiKey" type="text"/></div>
             <div class='input'><a id="explore" href="#" data-sw-translate>apply</a></div>
         </form>
 
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Framework\Code\File\Validator;
+
+use Magento\TestFramework\Helper\Bootstrap;
+
+/**
+ * Tests protected extensions.
+ */
+class NotProtectedExtensionTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * Test that phpt, pht is invalid extension type
+     * @dataProvider isValidDataProvider
+     * @param string $extension
+     * @return void
+     */
+    public function testIsValid($extension)
+    {
+        $objectManager = Bootstrap::getObjectManager();
+        /** @var \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $model */
+        $model = $objectManager->create(\Magento\MediaStorage\Model\File\Validator\NotProtectedExtension::class);
+        $this->assertFalse($model->isValid($extension));
+    }
+
+    /**
+     * Data provider for testIsValid
+     *
+     * @return array
+     */
+    public function isValidDataProvider()
+    {
+        return [
+            ['phpt'],
+            ['pht'],
+        ];
+    }
+}
@@ -17,11 +17,14 @@ class ValidateTest extends \Magento\TestFramework\TestCase\AbstractBackendContro
     /**
      * @dataProvider validationDataProvider
      * @param string $fileName
+     * @param string $mimeType
      * @param string $message
+     * @param string $delimiter
      * @backupGlobals enabled
      * @magentoDbIsolation enabled
+     * @SuppressWarnings(PHPMD.Superglobals)
      */
-    public function testValidationReturn($fileName, $message)
+    public function testValidationReturn($fileName, $mimeType, $message, $delimiter)
     {
         $validationStrategy = ProcessingErrorAggregatorInterface::VALIDATION_STRATEGY_STOP_ON_ERROR;
 
@@ -30,16 +33,16 @@ public function testValidationReturn($fileName, $message)
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest';
 
         /** @var $formKey \Magento\Framework\Data\Form\FormKey */
-        $formKey = $this->_objectManager->get('Magento\Framework\Data\Form\FormKey');
+        $formKey = $this->_objectManager->get(\Magento\Framework\Data\Form\FormKey::class);
         $this->getRequest()->setPostValue('form_key', $formKey->getFormKey());
         $this->getRequest()->setPostValue('entity', 'catalog_product');
         $this->getRequest()->setPostValue('behavior', 'append');
         $this->getRequest()->setPostValue(Import::FIELD_NAME_VALIDATION_STRATEGY, $validationStrategy);
         $this->getRequest()->setPostValue(Import::FIELD_NAME_ALLOWED_ERROR_COUNT, 0);
-        $this->getRequest()->setPostValue('_import_field_separator', ',');
+        $this->getRequest()->setPostValue('_import_field_separator', $delimiter);
 
         /** @var \Magento\TestFramework\App\Filesystem $filesystem */
-        $filesystem = $this->_objectManager->get('Magento\Framework\Filesystem');
+        $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
         $tmpDir = $filesystem->getDirectoryWrite(DirectoryList::SYS_TMP);
         $subDir = str_replace('\\', '_', __CLASS__);
         $tmpDir->create($subDir);
@@ -49,7 +52,7 @@ public function testValidationReturn($fileName, $message)
         $_FILES = [
             'import_file' => [
                 'name' => $fileName,
-                'type' => 'text/csv',
+                'type' => $mimeType,
                 'tmp_name' => $target,
                 'error' => 0,
                 'size' => filesize($target)
@@ -59,8 +62,8 @@ public function testValidationReturn($fileName, $message)
         $this->_objectManager->configure(
             [
                 'preferences' => [
-                    'Magento\Framework\HTTP\Adapter\FileTransferFactory' =>
-                        'Magento\ImportExport\Controller\Adminhtml\Import\HttpFactoryMock'
+                    \Magento\Framework\HTTP\Adapter\FileTransferFactory::class =>
+                        \Magento\ImportExport\Controller\Adminhtml\Import\HttpFactoryMock::class
                 ]
             ]
         );
@@ -83,12 +86,22 @@ public function validationDataProvider()
         return [
             [
                 'file_name' => 'catalog_product.csv',
-                'message' => 'File is valid'
+                'mime-type' => 'text/csv',
+                'message' => 'File is valid',
+                'delimiter' => ',',
             ],
             [
                 'file_name' => 'test.txt',
-                'message' => '\'txt\' file extension is not supported'
-            ]
+                'mime-type' => 'text/csv',
+                'message' => '\'txt\' file extension is not supported',
+                'delimiter' => ',',
+            ],
+            [
+                'file_name' => 'catalog_product.zip',
+                'mime-type' => 'application/zip',
+                'message' => 'File is valid',
+                'delimiter' => ',',
+            ],
         ];
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`* Class Index`
`12`	`12`	`*`
`13`	`13`	`* @api`
	`14`	`+ * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)`
`14`	`15`	`*/`
`15`	`16`	`class Index extends Template`
`16`	`17`	`{`
`@@ -19,7 +20,7 @@ class Index extends Template`
`19`	`20`	`*/`
`20`	`21`	`private function getParamStore()`
`21`	`22`	`{`
`22`		`- return $this->getRequest()->getParam('store') ?: 'all';`
	`23`	`+ return $this->stripTags($this->getRequest()->getParam('store')) ?: 'all';`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`/**`