Merge pull request #6432 from magento-engcom/fix-file-extension-bug

Added method to handle file extension for validating files being uploaded.

Author: gabrieldagama

app/code/Magento/Customer/Model/Metadata/Form/File.php

@@ -182,7 +182,7 @@ protected function _validateByRules($value)
     {
         $label = $value['name'];
         $rules = $this->getAttribute()->getValidationRules();
-        $extension = $this->fileProcessor->getStat($value['name'])['extension'];
+        $extension = $this->getFileExtension($value['name']);
         $fileExtensions = ArrayObjectSearch::getArrayElementByName(
             $rules,
             'file_extensions'
@@ -220,6 +220,17 @@ protected function _validateByRules($value)
         return [];
     }
 
+    /**
+     * Get file extension from the file if it exists, otherwise, get from filename.
+     *
+     * @param string $fileName
+     * @return string
+     */
+    private function getFileExtension(string $fileName): string
+    {
+        return pathinfo($fileName, PATHINFO_EXTENSION);
+    }
+
     /**
      * Helper function that checks if the file was uploaded.
      *

lib/internal/Magento/Framework/File/Uploader.php

@@ -716,31 +716,31 @@ private function validateFileId(array $fileId): void
         if (isset($fileId['tmp_name'])) {
             $tmpName = trim($fileId['tmp_name']);
 
-            $allowedFolders = [
-                sys_get_temp_dir(),
-                $this->directoryList->getPath(DirectoryList::MEDIA),
-                $this->directoryList->getPath(DirectoryList::VAR_DIR),
-                $this->directoryList->getPath(DirectoryList::TMP),
-                $this->directoryList->getPath(DirectoryList::UPLOAD),
-            ];
-
-            $disallowedFolders = [
-                $this->directoryList->getPath(DirectoryList::LOG),
-            ];
-
-            foreach ($allowedFolders as $allowedFolder) {
-                $dir = $this->filesystem->getDirectoryReadByPath($allowedFolder);
-                if ($dir->isExist($tmpName)) {
-                    $isValid = true;
-                    break;
+            if (preg_match('/\.\.(\\\|\/)/', $tmpName) !== 1) {
+                $allowedFolders = [
+                    sys_get_temp_dir(),
+                    $this->directoryList->getPath(DirectoryList::MEDIA),
+                    $this->directoryList->getPath(DirectoryList::VAR_DIR),
+                    $this->directoryList->getPath(DirectoryList::TMP),
+                    $this->directoryList->getPath(DirectoryList::UPLOAD),
+                ];
+
+                $disallowedFolders = [
+                    $this->directoryList->getPath(DirectoryList::LOG),
+                ];
+
+                foreach ($allowedFolders as $allowedFolder) {
+                    if (stripos($tmpName, $allowedFolder) === 0) {
+                        $isValid = true;
+                        break;
+                    }
                 }
-            }
 
-            foreach ($disallowedFolders as $disallowedFolder) {
-                $dir = $this->filesystem->getDirectoryReadByPath($disallowedFolder);
-                if ($dir->isExist($tmpName)) {
-                    $isValid = false;
-                    break;
+                foreach ($disallowedFolders as $disallowedFolder) {
+                    if (stripos($tmpName, $disallowedFolder) === 0) {
+                        $isValid = false;
+                        break;
+                    }
                 }
             }
         }