MAGETWO-70971: Remote code execution via downloadable products

Author: svitja

app/code/Magento/Store/etc/config.xml

@@ -115,6 +115,10 @@
             <file>
                 <protected_extensions>
                     <php>php</php>
+                    <php3>php3</php3>
+                    <php4>php4</php4>
+                    <php5>php5</php5>
+                    <php7>php7</php7>
                     <htaccess>htaccess</htaccess>
                     <jsp>jsp</jsp>
                     <pl>pl</pl>

dev/tests/integration/testsuite/Magento/Downloadable/Controller/Adminhtml/Downloadable/FileTest.php

@@ -1,6 +1,9 @@
 <?php
 namespace Magento\Downloadable\Controller\Adminhtml\Downloadable;
 
+use Magento\Framework\Serialize\Serializer\Json;
+use Magento\TestFramework\Helper\Bootstrap;
+
 /**
  * Magento\Downloadable\Controller\Adminhtml\Downloadable\File
  *
@@ -10,6 +13,17 @@
  */
 class FileTest extends \Magento\TestFramework\TestCase\AbstractBackendController
 {
+    /**
+     * @inheritdoc
+     */
+    protected function tearDown()
+    {
+        $filePath = dirname(__DIR__) . '/_files/sample.tmp';
+        if (is_file($filePath)) {
+            unlink($filePath);
+        }
+    }
+
     public function testUploadAction()
     {
         copy(dirname(__DIR__) . '/_files/sample.txt', dirname(__DIR__) . '/_files/sample.tmp');
@@ -25,11 +39,52 @@ public function testUploadAction()
 
         $this->dispatch('backend/admin/downloadable_file/upload/type/samples');
         $body = $this->getResponse()->getBody();
-        $result = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
-            \Magento\Framework\Json\Helper\Data::class
-        )->jsonDecode(
-            $body
-        );
+        $result = Bootstrap::getObjectManager()->get(Json::class)->unserialize($body);
         $this->assertEquals(0, $result['error']);
     }
+
+    /**
+     * Checks a case when php files are not allowed to upload.
+     *
+     * @param string $fileName
+     * @dataProvider extensionsDataProvider
+     */
+    public function testUploadProhibitedExtensions($fileName)
+    {
+        $path = dirname(__DIR__) . '/_files/';
+        copy($path . 'sample.txt', $path . 'sample.tmp');
+
+        $_FILES = [
+            'samples' => [
+                'name' => $fileName,
+                'type' => 'text/plain',
+                'tmp_name' => $path . 'sample.tmp',
+                'error' => 0,
+                'size' => 0,
+            ],
+        ];
+
+        $this->dispatch('backend/admin/downloadable_file/upload/type/samples');
+        $body = $this->getResponse()->getBody();
+        $result = Bootstrap::getObjectManager()->get(Json::class)->unserialize($body);
+
+        self::assertEquals(0, $result['errorcode']);
+        self::assertEquals('Disallowed file type.', $result['error']);
+    }
+
+    /**
+     * Returns different php file extensions.
+     *
+     * @return array
+     */
+    public function extensionsDataProvider()
+    {
+        return [
+            ['sample.php'],
+            ['sample.php3'],
+            ['sample.php4'],
+            ['sample.php5'],
+            ['sample.php7'],
+        ];
+    }
 }