MAGETWO-95551: Adding restriction for controller

ameysar · ameysar · commit ed27a7a6054c · 2018-10-24T12:07:36.000+03:00
diff --git a/app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php b/app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php
@@ -79,7 +79,7 @@ public function execute()
                 $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
                 $dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
                 $filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);
-                if ($dir->isFile($dir->getRelativePath($filePath))) {
+                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('#^\.htaccess$#', $file)) {
                     $this->getStorage()->deleteFile($filePath);
                 }
             }
diff --git a/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php b/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php
@@ -43,6 +43,11 @@ class DeleteFilesTest extends \PHPUnit\Framework\TestCase
      */
     private $objectManager;
 
+    /**
+     * @var string
+     */
+    private $fullDirectoryPath;
+
     /**
      * @inheritdoc
      */
@@ -54,6 +59,11 @@ protected function setUp()
         $this->imagesHelper = $this->objectManager->get(\Magento\Cms\Helper\Wysiwyg\Images::class);
         $this->mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->model = $this->objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::class);
+        $this->fullDirectoryPath = $this->imagesHelper->getStorageRoot() . '/directory1';
+        $path = $this->fullDirectoryPath . '/.htaccess';
+        if (!$this->mediaDirectory->isFile($path)) {
+            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        }
     }
 
     /**
@@ -106,6 +116,26 @@ public function testExecuteWithLinkedMedia()
         $this->assertFalse(is_file($fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName));
     }
 
+    /**
+     * Check that htaccess file couldn't be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testDeleteHtaccess()
+    {
+        $this->model->getRequest()->setMethod('POST')
+            ->setPostValue('files', [$this->imagesHelper->idEncode('.htaccess')]);
+        $this->model->getStorage()->getSession()->setCurrentPath($this->fullDirectoryPath);
+        $this->model->execute();
+
+        $this->assertTrue(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath($this->fullDirectoryPath . '/' . '.htaccess')
+            )
+        );
+    }
+
     /**
      * @inheritdoc
      */

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ public function execute()`
`79`	`79`	`$filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);`
`80`	`80`	`$dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);`
`81`	`81`	`$filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);`
`82`		`- if ($dir->isFile($dir->getRelativePath($filePath))) {`
	`82`	`+ if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('#^\.htaccess$#', $file)) {`
`83`	`83`	`$this->getStorage()->deleteFile($filePath);`
`84`	`84`	`}`
`85`	`85`	`}`