Merge pull request #3382 from magento-tsg/2.1.16-develop-pr60

[TSG] Backporting for 2.1 (pr60) (2.1.16)

Author: Alexander Akimov

.htaccess

@@ -114,15 +114,6 @@ DirectoryIndex index.php
         order allow,deny
         deny from all
     </Files>
-    <Files .user.ini>
-        <IfVersion < 2.4>
-            order allow,deny
-            deny from all
-        </IfVersion>
-        <IfVersion >= 2.4>
-            Require all denied
-        </IfVersion>
-    </Files>
 ErrorDocument 404 /pub/errors/404.php
 ErrorDocument 403 /pub/errors/404.php
 <IfModule mod_headers.c>

.htaccess.sample

@@ -278,15 +278,6 @@ DirectoryIndex index.php
         order allow,deny
         deny from all
     </Files>
-    <Files .user.ini>
-        <IfVersion < 2.4>
-            order allow,deny
-            deny from all
-        </IfVersion>
-        <IfVersion >= 2.4>
-            Require all denied
-        </IfVersion>
-    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php

@@ -10,9 +10,6 @@
 
 namespace Magento\AdminNotification\Block\Grid\Renderer;
 
-/**
- * Renderer class for action in the admin notifications grid
- */
 class Actions extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer
 {
     /**
@@ -42,9 +39,9 @@ public function __construct(
      */
     public function render(\Magento\Framework\DataObject $row)
     {
-        $readDetailsHtml = $row->getUrl() ? '<a class="action-details" target="_blank" href="' .
-            $this->escapeUrl($row->getUrl()) . '">' .
-            __('Read Details') . '</a> | ' : '';
+        $readDetailsHtml = $row->getUrl() ? '<a class="action-details" target="_blank" href="' . $row->getUrl() . '">' . __(
+            'Read Details'
+        ) . '</a> | ' : '';
 
         $markAsReadHtml = !$row->getIsRead() ? '<a class="action-mark" href="' . $this->getUrl(
             '*/*/markAsRead/',

app/code/Magento/CatalogImportExport/Model/Import/Uploader.php

@@ -17,6 +17,13 @@
  */
 class Uploader extends \Magento\MediaStorage\Model\File\Uploader
 {
+    /**
+     * HTTP scheme
+     * used to compare against the filename and select the proper DriverPool adapter
+     * @var string
+     */
+    private $httpScheme = 'http://';
+
     /**
      * Temp directory.
      *
@@ -99,7 +106,7 @@ class Uploader extends \Magento\MediaStorage\Model\File\Uploader
      * @param \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $validator
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\Framework\Filesystem\File\ReadFactory $readFactory
-     * @param null $filePath
+     * @param string|null $filePath
      * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      * @throws \Magento\Framework\Exception\LocalizedException
      */
@@ -148,23 +155,38 @@ public function init()
      * @param string $fileName
      * @param bool $renameFileOff
      * @return array
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function move($fileName, $renameFileOff = false)
     {
         if ($renameFileOff) {
             $this->setAllowRenameFiles(false);
         }
+
+        if ($this->getTmpDir()) {
+            $filePath = $this->getTmpDir() . '/';
+        } else {
+            $filePath = '';
+        }
+
         if (preg_match('/\bhttps?:\/\//i', $fileName, $matches)) {
             $url = str_replace($matches[0], '', $fileName);
-            $read = $this->_readFactory->create($url, DriverPool::HTTP);
+            $driver = $matches[0] === $this->httpScheme ? DriverPool::HTTP : DriverPool::HTTPS;
+            $read = $this->_readFactory->create($url, $driver);
+
+            $fileExtension = pathinfo($fileName, PATHINFO_EXTENSION);
+            if ($fileExtension && !$this->checkAllowedExtension($fileExtension)) {
+                throw new \Magento\Framework\Exception\LocalizedException(__('Disallowed file type.'));
+            }
+
             $fileName = preg_replace('/[^a-z0-9\._-]+/i', '', $fileName);
             $this->_directory->writeFile(
-                $this->_directory->getRelativePath($this->getTmpDir() . '/' . $fileName),
+                $this->_directory->getRelativePath($filePath . $fileName),
                 $read->readAll()
             );
         }
 
-        $filePath = $this->_directory->getRelativePath($this->getTmpDir() . '/' . $fileName);
+        $filePath = $this->_directory->getRelativePath($filePath . $fileName);
         $this->_setUploadFile($filePath);
         $destDir = $this->_directory->getAbsolutePath($this->getDestDir());
         $result = $this->save($destDir);
@@ -332,7 +354,7 @@ protected function _moveFile($tmpPath, $destPath)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     protected function chmod($file)
     {

app/code/Magento/CatalogImportExport/Test/Unit/Model/Import/UploaderTest.php

@@ -105,17 +105,17 @@ protected function setUp()
                 null,
                 $this->directoryResolver,
             ])
-            ->setMethods(['_setUploadFile', 'save', 'getTmpDir'])
+            ->setMethods(['_setUploadFile', 'save', 'getTmpDir', 'checkAllowedExtension'])
             ->getMock();
     }
 
     /**
      * @dataProvider moveFileUrlDataProvider
      */
-    public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName)
+    public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName, $checkAllowedExtension)
     {
         $destDir = 'var/dest/dir';
-        $expectedRelativeFilePath = $this->uploader->getTmpDir() . '/' . $expectedFileName;
+        $expectedRelativeFilePath = $expectedFileName;
         $this->directoryMock->expects($this->once())->method('isWritable')->with($destDir)->willReturn(true);
         $this->directoryMock->expects($this->any())->method('getRelativePath')->with($expectedRelativeFilePath);
         $this->directoryMock->expects($this->once())->method('getAbsolutePath')->with($destDir)
@@ -140,6 +140,9 @@ public function testMoveFileUrl($fileUrl, $expectedHost, $expectedFileName)
         $this->uploader->expects($this->once())->method('_setUploadFile')->will($this->returnSelf());
         $this->uploader->expects($this->once())->method('save')->with($destDir . '/' . $expectedFileName)
             ->willReturn(['name' => $expectedFileName, 'path' => 'absPath']);
+        $this->uploader->expects($this->exactly($checkAllowedExtension))
+            ->method('checkAllowedExtension')
+            ->willReturn(true);
 
         $this->uploader->setDestDir($destDir);
         $result = $this->uploader->move($fileUrl);
@@ -151,7 +154,7 @@ public function testMoveFileName()
     {
         $destDir = 'var/dest/dir';
         $fileName = 'test_uploader_file';
-        $expectedRelativeFilePath = $this->uploader->getTmpDir() . '/' . $fileName;
+        $expectedRelativeFilePath = $fileName;
         $this->directoryMock->expects($this->once())->method('isWritable')->with($destDir)->willReturn(true);
         $this->directoryMock->expects($this->any())->method('getRelativePath')->with($expectedRelativeFilePath);
         $this->directoryMock->expects($this->once())->method('getAbsolutePath')->with($destDir)
@@ -176,11 +179,13 @@ public function moveFileUrlDataProvider()
                 '$fileUrl' => 'http://test_uploader_file',
                 '$expectedHost' => 'test_uploader_file',
                 '$expectedFileName' => 'httptest_uploader_file',
+                '$checkAllowedExtension' => 0,
             ],
             [
                 '$fileUrl' => 'https://!:^&`;file',
                 '$expectedHost' => '!:^&`;file',
                 '$expectedFileName' => 'httpsfile',
+                '$checkAllowedExtension' => 0,
             ],
         ];
     }

app/code/Magento/Checkout/view/frontend/web/js/view/form/element/email.js

@@ -34,6 +34,9 @@ define([
             listens: {
                 email: 'emailHasChanged',
                 emailFocused: 'validateEmail'
+            },
+            ignoreTmpls: {
+                email: true
             }
         },
         checkDelay: 2000,

app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php

@@ -82,7 +82,7 @@ public function execute()
                 $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
                 $dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
                 $filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);
-                if ($dir->isFile($dir->getRelativePath($filePath))) {
+                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('/^\\.htaccess$/', $file)) {
                     $this->getStorage()->deleteFile($filePath);
                 }
             }

app/code/Magento/Eav/Model/Attribute/Data/File.php

@@ -119,8 +119,7 @@ public function extractValue(RequestInterface $request)
     }
 
     /**
-     * Validate file by attribute validate rules
-     * Return array of errors
+     * Validate file by attribute validate rules and return array of errors.
      *
      * @param array $value
      * @return string[]
@@ -146,7 +145,7 @@ protected function _validateByRules($value)
             return $this->_fileValidator->getMessages();
         }
 
-        if (!is_uploaded_file($value['tmp_name'])) {
+        if (!empty($value['tmp_name']) && !is_uploaded_file($value['tmp_name'])) {
             return [__('"%1" is not a valid file.', $label)];
         }
 
@@ -173,13 +172,23 @@ public function validateValue($value)
         if ($this->getIsAjaxRequest()) {
             return true;
         }
+        $fileData = $value;
+
+        if (is_string($value) && !empty($value)) {
+            $dir = $this->_directory->getAbsolutePath($this->getAttribute()->getEntityType()->getEntityTypeCode());
+            $fileData = [
+                'size' => filesize($dir . $value),
+                'name' => $value,
+                'tmp_name' => $dir . $value,
+            ];
+        }
 
         $errors = [];
         $attribute = $this->getAttribute();
         $label = $attribute->getStoreLabel();
 
         $toDelete = !empty($value['delete']) ? true : false;
-        $toUpload = !empty($value['tmp_name']) ? true : false;
+        $toUpload = !empty($value['tmp_name']) || is_string($value) && !empty($value) ? true : false;
 
         if (!$toUpload && !$toDelete && $this->getEntity()->getData($attribute->getAttributeCode())) {
             return true;
@@ -194,11 +203,13 @@ public function validateValue($value)
         }
 
         if ($toUpload) {
-            $errors = array_merge($errors, $this->_validateByRules($value));
+            $errors = array_merge($errors, $this->_validateByRules($fileData));
         }
 
         if (count($errors) == 0) {
             return true;
+        } elseif (is_string($value) && !empty($value)) {
+            $this->_directory->delete($dir . $value);
         }
 
         return $errors;

app/code/Magento/Ui/Controller/Adminhtml/Index/Render/Handle.php

@@ -9,33 +9,82 @@
 use Magento\Ui\Component\Control\ActionPool;
 use Magento\Ui\Component\Wrapper\UiComponent;
 use Magento\Ui\Controller\Adminhtml\AbstractAction;
+use Magento\Backend\App\Action\Context;
+use Magento\Framework\View\Element\UiComponent\Config\ManagerInterface;
+use Magento\Framework\View\Element\UiComponentFactory;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Class Handle
  */
 class Handle extends AbstractAction
 {
+    /**
+     * @var ManagerInterface
+     */
+    private $componentManager;
+
+    /**
+     * @param Context $context
+     * @param UiComponentFactory $factory
+     * @param ManagerInterface|null $componentManager
+     */
+    public function __construct(
+        Context $context,
+        UiComponentFactory $factory,
+        ManagerInterface $componentManager = null
+    ) {
+        parent::__construct($context, $factory);
+        $this->componentManager = $componentManager ?: ObjectManager::getInstance()->get(ManagerInterface::class);
+    }
+
     /**
      * Render UI component by namespace in handle context
      *
      * @return void
      */
     public function execute()
     {
+        $response = '';
         $handle = $this->_request->getParam('handle');
         $namespace = $this->_request->getParam('namespace');
         $buttons = $this->_request->getParam('buttons', false);
-
         $this->_view->loadLayout(['default', $handle], true, true, false);
+        $layout = $this->_view->getLayout();
+        $config = $this->componentManager->getData($namespace);
 
-        $uiComponent = $this->_view->getLayout()->getBlock($namespace);
-        $response = $uiComponent instanceof UiComponent ? $uiComponent->toHtml() : '';
+        if ($this->validateAclResource($config[$namespace])) {
+            $uiComponent = $layout->getBlock($namespace);
+            $response = $uiComponent instanceof UiComponent ? $uiComponent->toHtml() : '';
+        }
 
         if ($buttons) {
-            $actionsToolbar = $this->_view->getLayout()->getBlock(ActionPool::ACTIONS_PAGE_TOOLBAR);
+            $actionsToolbar = $layout->getBlock(ActionPool::ACTIONS_PAGE_TOOLBAR);
             $response .= $actionsToolbar instanceof Template ? $actionsToolbar->toHtml() : '';
         }
 
         $this->_response->appendBody($response);
     }
+
+    /**
+     * Optionally validate ACL resource of components.
+     *
+     * @param mixed $dataProviderConfigData
+     * @return bool
+     */
+    private function validateAclResource($dataProviderConfigData)
+    {
+        $aclResource = isset($dataProviderConfigData['arguments']['data']['acl'])
+            ? $dataProviderConfigData['arguments']['data']['acl']
+            : false;
+        if ($aclResource !== false && !$this->_authorization->isAllowed($aclResource)) {
+            if (!$this->_request->isAjax()) {
+                $this->_redirect('admin/denied');
+            }
+
+            return false;
+        }
+
+        return true;
+    }
 }