Merge pull request #7326 from magento-cia/AC-479

dvoskoboinikov · web-flow · commit fb6123096a03 · 2021-12-15T12:38:49.000-06:00
Bugfixes
diff --git a/app/code/Magento/Store/etc/config.xml b/app/code/Magento/Store/etc/config.xml
@@ -133,6 +133,7 @@
                     <shtml>shtml</shtml>
                     <phpt>phpt</phpt>
                     <pht>pht</pht>
+                    <phar>phar</phar>
                     <svg>svg</svg>
                     <xml>xml</xml>
                     <xhtml>xhtml</xhtml>
diff --git a/lib/internal/Magento/Framework/File/Test/Unit/UploaderTest.php b/lib/internal/Magento/Framework/File/Test/Unit/UploaderTest.php
@@ -9,12 +9,55 @@
 
 use Magento\Framework\File\Uploader;
 use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\MockObject\MockObject;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Filesystem;
+use Magento\Framework\Filesystem\Directory\TargetDirectory;
+use Magento\Framework\Filesystem\DriverPool;
 
 /**
  * Unit Test class for \Magento\Framework\File\Uploader
  */
 class UploaderTest extends TestCase
 {
+    /**
+     * @var Uploader
+     */
+    private $uploader;
+
+    /**
+     * Allowed extensions array
+     *
+     * @var array
+     */
+    private $_allowedMimeTypes = [
+        'php' => 'text/plain',
+        'txt' => 'text/plain'
+    ];
+
+    protected function setUp(): void
+    {
+        $class = new \ReflectionObject($this);
+        $fileName = $class->getFilename();
+        $fileType = 'php';
+        $this->setupFiles(1230123, $fileName, $fileType);
+
+        $driverPool  =  $this->createMock(DriverPool::class);
+        $directoryList = $this->createMock(DirectoryList::class);
+        $filesystem    = $this->createMock(Filesystem::class);
+        $targetDirectory = $this->createMock(TargetDirectory::class);
+
+        $this->uploader = new Uploader(
+            "fileId",
+            null,
+            $directoryList,
+            $driverPool,
+            $targetDirectory,
+            $filesystem
+        );
+        $this->uploader->setAllowedExtensions(array_keys($this->_allowedMimeTypes));
+    }
+
     /**
      * @param string $fileName
      * @param string|bool $expectedCorrectedFileName
@@ -67,4 +110,76 @@ public function getCorrectFileNameProvider()
             ]
         ];
     }
+
+    /**
+     * @param string $extension
+     * @param bool $isValid
+     *
+     * @dataProvider checkAllowedExtensionProvider
+     */
+    public function testCheckAllowedExtension(bool $isValid, string $extension)
+    {
+        $this->assertEquals(
+            $isValid,
+            $this->uploader->checkAllowedExtension($extension)
+        );
+    }
+
+    /**
+     * @return array
+     */
+    public function checkAllowedExtensionProvider(): array
+    {
+        return [
+            [
+                true,
+                'txt'
+            ],
+            [
+                false,
+                'png'
+            ],
+            [
+                false,
+                '$#@$#@$3'
+            ],
+            [
+                false,
+                '4324324324txt'
+            ],
+            [
+                false,
+                '$#$#$jpeg..$#2$#@$#@$'
+            ],
+            [
+                false,
+                '../../txt'
+            ],
+            [
+                true,
+                'php'
+            ]
+        ];
+    }
+
+    /**
+     * Setup global variable $_FILES.
+     *
+     * @param int $fileSize
+     * @param string $fileName
+     * @param string $fileType
+     * @return void
+     */
+    private function setupFiles($fileSize, $fileName, $fileType)
+    {
+        $_FILES = [
+            'fileId' => [
+                'name' => $fileName,
+                'type' => $fileType,
+                'tmp_name' => $fileName,
+                'error' => 0,
+                'size' => $fileSize,
+            ]
+        ];
+    }
 }
diff --git a/lib/internal/Magento/Framework/File/Uploader.php b/lib/internal/Magento/Framework/File/Uploader.php
@@ -24,6 +24,7 @@
  *
  * @SuppressWarnings(PHPMD.TooManyFields)
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ * @SuppressWarnings(PHPMD.ExcessiveClassComplexity)
  *
  * @api
  * @since 100.0.2
@@ -148,28 +149,28 @@ class Uploader
     /**#@+
      * File upload type (multiple or single)
      */
-    const SINGLE_STYLE = 0;
+    public const SINGLE_STYLE = 0;
 
-    const MULTIPLE_STYLE = 1;
+    public const MULTIPLE_STYLE = 1;
 
     /**#@-*/
 
     /**
      * Temp file name empty code
      */
-    const TMP_NAME_EMPTY = 666;
+    public const TMP_NAME_EMPTY = 666;
 
     /**
      * Maximum Image Width resolution in pixels. For image resizing on client side
      * @deprecated @see \Magento\Framework\Image\Adapter\UploadConfigInterface::getMaxWidth()
      */
-    const MAX_IMAGE_WIDTH = 1920;
+    public const MAX_IMAGE_WIDTH = 1920;
 
     /**
      * Maximum Image Height resolution in pixels. For image resizing on client side
      * @deprecated @see \Magento\Framework\Image\Adapter\UploadConfigInterface::getMaxHeight()
      */
-    const MAX_IMAGE_HEIGHT = 1200;
+    public const MAX_IMAGE_HEIGHT = 1200;
 
     /**
      * Resulting of uploaded file
@@ -640,6 +641,11 @@ public function setAllowedExtensions($extensions = [])
      */
     public function checkAllowedExtension($extension)
     {
+        //File extensions should only be allowed to contain alphanumeric characters
+        if (preg_match('/[^a-z0-9]/i', $extension)) {
+            return false;
+        }
+
         if (!is_array($this->_allowedExtensions) || empty($this->_allowedExtensions)) {
             return true;
         }
