magento
diff --git a/‎app/code/Magento/Cms/Helper/Wysiwyg/Images.php
Lines changed: 17 additions & 7 deletions b/‎app/code/Magento/Cms/Helper/Wysiwyg/Images.php
Lines changed: 17 additions & 7 deletions
diff --git a/‎app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php
Lines changed: 47 additions & 7 deletions b/‎app/code/Magento/Cms/Model/Wysiwyg/Images/Storage.php
Lines changed: 47 additions & 7 deletions
diff --git a/‎app/code/Magento/Cms/Test/Unit/Helper/Wysiwyg/ImagesTest.php
Lines changed: 24 additions & 19 deletions b/‎app/code/Magento/Cms/Test/Unit/Helper/Wysiwyg/ImagesTest.php
Lines changed: 24 additions & 19 deletions
diff --git a/‎app/code/Magento/Cms/Test/Unit/Model/Wysiwyg/Images/StorageTest.php
Lines changed: 8 additions & 3 deletions b/‎app/code/Magento/Cms/Test/Unit/Model/Wysiwyg/Images/StorageTest.php
Lines changed: 8 additions & 3 deletions
diff --git a/‎app/code/Magento/Cms/etc/di.xml
Lines changed: 35 additions & 2 deletions b/‎app/code/Magento/Cms/etc/di.xml
Lines changed: 35 additions & 2 deletions
@@ -27,11 +27,11 @@ class Images extends \Magento\Framework\App\Helper\AbstractHelper
     protected $_currentUrl;
 
     /**
-     * Currenty selected store ID if applicable
+     * Currently selected store ID if applicable
      *
      * @var int
      */
-    protected $_storeId = null;
+    protected $_storeId;
 
     /**
      * @var \Magento\Framework\Filesystem\Directory\Write
@@ -71,7 +71,7 @@ public function __construct(
         $this->_storeManager = $storeManager;
 
         $this->_directory = $filesystem->getDirectoryWrite(DirectoryList::MEDIA);
-        $this->_directory->create(\Magento\Cms\Model\Wysiwyg\Config::IMAGE_DIRECTORY);
+        $this->_directory->create($this->getStorageRoot());
     }
 
     /**
@@ -93,7 +93,17 @@ public function setStoreId($store)
      */
     public function getStorageRoot()
     {
-        return $this->_directory->getAbsolutePath(\Magento\Cms\Model\Wysiwyg\Config::IMAGE_DIRECTORY);
+        return $this->_directory->getAbsolutePath($this->getStorageRootSubpath());
+    }
+
+    /**
+     * Get image storage root subpath.  User is unable to traverse outside of this subpath in media gallery
+     *
+     * @return string
+     */
+    public function getStorageRootSubpath()
+    {
+        return '';
     }
 
     /**
@@ -141,7 +151,7 @@ public function convertIdToPath($id)
             return $this->getStorageRoot();
         } else {
             $path = $this->getStorageRoot() . $this->idDecode($id);
-            if (strpos($path, DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR) !== false) {
+            if (preg_match('/\.\.(\\\|\/)/', $path)) {
                 throw new \InvalidArgumentException('Path is invalid');
             }
 
@@ -208,7 +218,7 @@ public function getImageHtmlDeclaration($filename, $renderAsTag = false)
     public function getCurrentPath()
     {
         if (!$this->_currentPath) {
-            $currentPath = $this->_directory->getAbsolutePath() . \Magento\Cms\Model\Wysiwyg\Config::IMAGE_DIRECTORY;
+            $currentPath = $this->getStorageRoot();
             $path = $this->_getRequest()->getParam($this->getTreeNodeName());
             if ($path) {
                 $path = $this->convertIdToPath($path);
@@ -244,7 +254,7 @@ public function getCurrentUrl()
             )->getBaseUrl(
                 \Magento\Framework\UrlInterface::URL_TYPE_MEDIA
             );
-            $this->_currentUrl = $mediaUrl . $this->_directory->getRelativePath($path) . '/';
+            $this->_currentUrl = rtrim($mediaUrl . $this->_directory->getRelativePath($path), '/') . '/';
         }
         return $this->_currentUrl;
     }
 
@@ -238,10 +238,12 @@ protected function getConditionsForExcludeDirs()
     protected function removeItemFromCollection($collection, $conditions)
     {
         $regExp = $conditions['reg_exp'] ? '~' . implode('|', array_keys($conditions['reg_exp'])) . '~i' : null;
-        $storageRootLength = strlen($this->_cmsWysiwygImages->getStorageRoot());
+        $storageRoot = $this->_cmsWysiwygImages->getStorageRoot();
+        $storageRootLength = strlen($storageRoot);
 
         foreach ($collection as $key => $value) {
-            $rootChildParts = explode('/', substr($value->getFilename(), $storageRootLength));
+            $mediaSubPathname = substr($value->getFilename(), $storageRootLength);
+            $rootChildParts = explode('/', '/' . ltrim($mediaSubPathname, '/'));
 
             if (array_key_exists($rootChildParts[1], $conditions['plain'])
                 || ($regExp && preg_match($regExp, $value->getFilename()))) {
@@ -316,6 +318,8 @@ public function getFilesCollection($path, $type = null)
             $item->setName($item->getBasename());
             $item->setShortName($this->_cmsWysiwygImages->getShortFilename($item->getBasename()));
             $item->setUrl($this->_cmsWysiwygImages->getCurrentUrl() . $item->getBasename());
+            $item->setSize(filesize($item->getFilename()));
+            $item->setMimeType(\mime_content_type($item->getFilename()));
 
             if ($this->isImage($item->getBasename())) {
                 $thumbUrl = $this->getThumbnailUrl($item->getFilename(), true);
@@ -407,7 +411,7 @@ public function createDirectory($name, $path)
     /**
      * Recursively delete directory from storage
      *
-     * @param string $path Target dir
+     * @param string $path Absolute path to target directory
      * @return void
      * @throws \Magento\Framework\Exception\LocalizedException
      */
@@ -416,12 +420,19 @@ public function deleteDirectory($path)
         if ($this->_coreFileStorageDb->checkDbUsage()) {
             $this->_directoryDatabaseFactory->create()->deleteDirectory($path);
         }
+        if (!$this->isPathAllowed($path, $this->getConditionsForExcludeDirs())) {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('We cannot delete directory %1.', $this->_getRelativePathToRoot($path))
+            );
+        }
         try {
             $this->_deleteByPath($path);
             $path = $this->getThumbnailRoot() . $this->_getRelativePathToRoot($path);
             $this->_deleteByPath($path);
         } catch (\Magento\Framework\Exception\FileSystemException $e) {
-            throw new \Magento\Framework\Exception\LocalizedException(__('We cannot delete directory %1.', $path));
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('We cannot delete directory %1.', $this->_getRelativePathToRoot($path))
+            );
         }
     }
 
@@ -468,14 +479,18 @@ public function deleteFile($target)
     /**
      * Upload and resize new file.
      *
-     * @param string $targetPath Target directory
+     * @param string $targetPath Absolute path to target directory
      * @param string $type Type of storage, e.g. image, media etc.
      * @return array File info Array
      * @throws \Magento\Framework\Exception\LocalizedException
-     * @throws \Exception
      */
     public function uploadFile($targetPath, $type = null)
     {
+        if (!$this->isPathAllowed($targetPath, $this->getConditionsForExcludeDirs())) {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('We can\'t upload the file to current folder right now. Please try another folder.')
+            );
+        }
         /** @var \Magento\MediaStorage\Model\File\Uploader $uploader */
         $uploader = $this->_uploaderFactory->create(['fileId' => 'image']);
         $allowed = $this->getAllowedExtensions($type);
@@ -725,7 +740,7 @@ protected function _validatePath($path)
      */
     protected function _sanitizePath($path)
     {
-        return rtrim(preg_replace('~[/\\\]+~', '/', $this->_directory->getDriver()->getRealPath($path)), '/');
+        return rtrim(preg_replace('~[/\\\]+~', '/', $this->_directory->getDriver()->getRealPathSafety($path)), '/');
     }
 
     /**
@@ -771,4 +786,29 @@ private function getExtensionsList($type = null)
 
         return $allowed;
     }
+
+    /**
+     * Check if path is not in excluded dirs.
+     *
+     * @param string $path Absolute path
+     * @param array $conditions Exclude conditions
+     * @return bool
+     */
+    private function isPathAllowed($path, $conditions)
+    {
+        $isAllowed = true;
+        $regExp = $conditions['reg_exp'] ? '~' . implode('|', array_keys($conditions['reg_exp'])) . '~i' : null;
+        $storageRoot = $this->_cmsWysiwygImages->getStorageRoot();
+        $storageRootLength = strlen($storageRoot);
+
+        $mediaSubPathname = substr($path, $storageRootLength);
+        $rootChildParts = explode('/', '/' . ltrim($mediaSubPathname, '/'));
+
+        if (array_key_exists($rootChildParts[1], $conditions['plain'])
+            || ($regExp && preg_match($regExp, $path))) {
+            $isAllowed = false;
+        }
+
+        return $isAllowed;
+    }
 }
@@ -74,7 +74,7 @@ class ImagesTest extends \PHPUnit_Framework_TestCase
 
     protected function setUp()
     {
-        $this->path = 'PATH/';
+        $this->path = 'PATH';
         $this->objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
 
         $this->eventManagerMock = $this->getMock(\Magento\Framework\Event\ManagerInterface::class, [], [], '', false);
@@ -108,7 +108,8 @@ protected function setUp()
             ->willReturnMap(
                 [
                     [WysiwygConfig::IMAGE_DIRECTORY, null, $this->getAbsolutePath(WysiwygConfig::IMAGE_DIRECTORY)],
-                    [null, null, $this->getAbsolutePath(null)]
+                    [null, null, $this->getAbsolutePath(null)],
+                    ['', null, $this->getAbsolutePath('')],
                 ]
             );
 
@@ -173,7 +174,7 @@ public function testSetStoreId()
     public function testGetStorageRoot()
     {
         $this->assertEquals(
-            $this->getAbsolutePath(WysiwygConfig::IMAGE_DIRECTORY),
+            $this->getAbsolutePath(''),
             $this->imagesHelper->getStorageRoot()
         );
     }
@@ -197,7 +198,7 @@ public function testGetTreeNodeName()
     public function testConvertPathToId()
     {
         $pathOne = '/test_path';
-        $pathTwo = $this->getAbsolutePath(WysiwygConfig::IMAGE_DIRECTORY) . '/test_path';
+        $pathTwo = $this->getAbsolutePath('') . '/test_path';
         $this->assertEquals(
             $this->imagesHelper->convertPathToId($pathOne),
             $this->imagesHelper->convertPathToId($pathTwo)
@@ -334,26 +335,30 @@ public function providerIsUsingStaticUrlsAllowed()
      */
     public function testGetCurrentPath($pathId, $expectedPath, $isExist)
     {
-        $this->requestMock->expects($this->once())
+        $this->requestMock->expects($this->any())
             ->method('getParam')
-            ->willReturn($pathId);
+            ->willReturnMap(
+                [
+                    ['node', null, $pathId],
+                ]
+            );
 
         $this->directoryWriteMock->expects($this->any())
             ->method('isDirectory')
             ->willReturnMap(
                 [
-                    ['/../wysiwyg/test_path', true],
-                    ['/../wysiwyg/my.jpg', false],
-                    ['/../wysiwyg', true]
+                    ['/../test_path', true],
+                    ['/../my.jpg', false],
+                    ['.', true],
                 ]
             );
         $this->directoryWriteMock->expects($this->any())
             ->method('getRelativePath')
             ->willReturnMap(
                 [
-                    ['PATH/wysiwyg/test_path', '/../wysiwyg/test_path'],
-                    ['PATH/wysiwyg/my.jpg', '/../wysiwyg/my.jpg'],
-                    ['PATH/wysiwyg', '/../wysiwyg'],
+                    ['PATH/test_path', '/../test_path'],
+                    ['PATH/my.jpg', '/../my.jpg'],
+                    ['PATH', '.'],
                 ]
             );
         $this->directoryWriteMock->expects($this->once())
@@ -370,7 +375,7 @@ public function testGetCurrentPathThrowException()
     {
         $this->setExpectedException(
             \Magento\Framework\Exception\LocalizedException::class,
-            'The directory PATH/wysiwyg is not writable by server.'
+            'The directory PATH is not writable by server.'
         );
 
         $this->directoryWriteMock->expects($this->once())
@@ -393,12 +398,12 @@ public function testGetCurrentPathThrowException()
     public function providerGetCurrentPath()
     {
         return [
-            ['L3Rlc3RfcGF0aA--', 'PATH/wysiwyg/test_path', true],
-            ['L215LmpwZw--', 'PATH/wysiwyg', true],
-            [null, 'PATH/wysiwyg', true],
-            ['L3Rlc3RfcGF0aA--', 'PATH/wysiwyg/test_path', false],
-            ['L215LmpwZw--', 'PATH/wysiwyg', false],
-            [null, 'PATH/wysiwyg', false]
+            ['L3Rlc3RfcGF0aA--', 'PATH/test_path', true],
+            ['L215LmpwZw--', 'PATH', true],
+            [null, 'PATH', true],
+            ['L3Rlc3RfcGF0aA--', 'PATH/test_path', false],
+            ['L215LmpwZw--', 'PATH', false],
+            [null, 'PATH', false],
         ];
     }
 
 
@@ -133,7 +133,9 @@ protected function setUp()
             true,
             ['getRealPath']
         );
-        $this->driverMock->expects($this->any())->method('getRealPath')->willReturnArgument(0);
+        $this->driverMock = $this->getMockBuilder(\Magento\Framework\Filesystem\DriverInterface::class)
+            ->setMethods(['getRealPathSafety'])
+            ->getMockForAbstractClass();
 
         $this->directoryMock = $this->getMock(
             \Magento\Framework\Filesystem\Directory\Write::class,
@@ -283,6 +285,7 @@ public function testDeleteDirectoryOverRoot()
             \Magento\Framework\Exception\LocalizedException::class,
             sprintf('Directory %s is not under storage root path.', self::INVALID_DIRECTORY_OVER_ROOT)
         );
+        $this->driverMock->expects($this->atLeastOnce())->method('getRealPathSafety')->will($this->returnArgument(0));
         $this->imagesStorage->deleteDirectory(self::INVALID_DIRECTORY_OVER_ROOT);
     }
 
@@ -295,6 +298,7 @@ public function testDeleteRootDirectory()
             \Magento\Framework\Exception\LocalizedException::class,
             sprintf('We can\'t delete root directory %s right now.', self::STORAGE_ROOT_DIR)
         );
+        $this->driverMock->expects($this->atLeastOnce())->method('getRealPathSafety')->will($this->returnArgument(0));
         $this->imagesStorage->deleteDirectory(self::STORAGE_ROOT_DIR);
     }
 
@@ -464,10 +468,11 @@ protected function generalTestGetDirsCollection($path, array $collectionArray =
      */
     public function testUploadFile()
     {
-        $targetPath = '/target/path';
+        $path = 'target/path';
+        $targetPath = self::STORAGE_ROOT_DIR . $path;
         $fileName = 'image.gif';
         $realPath = $targetPath . '/' . $fileName;
-        $thumbnailTargetPath = self::STORAGE_ROOT_DIR . '/.thumbs';
+        $thumbnailTargetPath = self::STORAGE_ROOT_DIR . '/.thumbs' . $path;
         $thumbnailDestination = $thumbnailTargetPath . '/' . $fileName;
         $type = 'image';
         $result = [
 
@@ -50,8 +50,41 @@
                 </item>
             </argument>
             <argument name="dirs" xsi:type="array">
-                <item name="exclude" xsi:type="string"/>
-                <item name="include" xsi:type="string"/>
+                <item name="exclude" xsi:type="array">
+                    <item name="captcha" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+captcha[/\\]*$</item>
+                    </item>
+                    <item name="catalog/product" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+catalog[/\\]+product[/\\]*$</item>
+                    </item>
+                    <item name="customer" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+customer[/\\]*$</item>
+                    </item>
+                    <item name="downloadable" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+downloadable[/\\]*$</item>
+                    </item>
+                    <item name="import" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+import[/\\]*$</item>
+                    </item>
+                    <item name="theme" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+theme[/\\]*$</item>
+                    </item>
+                    <item name="theme_customization" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+theme_customization[/\\]*$</item>
+                    </item>
+                    <item name="tmp" xsi:type="array">
+                        <item name="regexp" xsi:type="boolean">true</item>
+                        <item name="name" xsi:type="string">pub[/\\]+media[/\\]+tmp[/\\]*$</item>
+                    </item>
+                </item>
+                <item name="include" xsi:type="array"/>
             </argument>
         </arguments>
     </type>