magento-engcom
diff --git a/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php
Lines changed: 24 additions & 3 deletions b/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php
Lines changed: 24 additions & 3 deletions
diff --git a/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFolder.php
Lines changed: 25 additions & 3 deletions b/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFolder.php
Lines changed: 25 additions & 3 deletions
diff --git a/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/NewFolder.php
Lines changed: 24 additions & 3 deletions b/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/NewFolder.php
Lines changed: 24 additions & 3 deletions
diff --git a/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/Upload.php
Lines changed: 26 additions & 5 deletions b/‎app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/Upload.php
Lines changed: 26 additions & 5 deletions
diff --git a/‎app/code/Magento/Cms/Helper/Wysiwyg/Images.php
Lines changed: 11 additions & 3 deletions b/‎app/code/Magento/Cms/Helper/Wysiwyg/Images.php
Lines changed: 11 additions & 3 deletions
@@ -7,6 +7,9 @@
 
 use Magento\Framework\App\Filesystem\DirectoryList;
 
+/**
+ * Delete image files.
+ */
 class DeleteFiles extends \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images
 {
     /**
@@ -19,29 +22,40 @@ class DeleteFiles extends \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images
      */
     protected $resultRawFactory;
 
+    /**
+     * @var \Magento\Framework\App\Filesystem\DirectoryResolver
+     */
+    private $directoryResolver;
+
     /**
      * Constructor
      *
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\Registry $coreRegistry
      * @param \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory
      * @param \Magento\Framework\Controller\Result\RawFactory $resultRawFactory
+     * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\Framework\Registry $coreRegistry,
         \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory,
-        \Magento\Framework\Controller\Result\RawFactory $resultRawFactory
+        \Magento\Framework\Controller\Result\RawFactory $resultRawFactory,
+        \Magento\Framework\App\Filesystem\DirectoryResolver $directoryResolver = null
     ) {
+        parent::__construct($context, $coreRegistry);
+
         $this->resultRawFactory = $resultRawFactory;
         $this->resultJsonFactory = $resultJsonFactory;
-        parent::__construct($context, $coreRegistry);
+        $this->directoryResolver = $directoryResolver
+            ?: $this->_objectManager->get(\Magento\Framework\App\Filesystem\DirectoryResolver::class);
     }
 
     /**
-     * Delete file from media storage
+     * Delete file from media storage.
      *
      * @return \Magento\Framework\Controller\ResultInterface
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function execute()
     {
@@ -54,6 +68,11 @@ public function execute()
             /** @var $helper \Magento\Cms\Helper\Wysiwyg\Images */
             $helper = $this->_objectManager->get(\Magento\Cms\Helper\Wysiwyg\Images::class);
             $path = $this->getStorage()->getSession()->getCurrentPath();
+            if (!$this->directoryResolver->validatePath($path, DirectoryList::MEDIA)) {
+                throw new \Magento\Framework\Exception\LocalizedException(
+                    __('Directory %1 is not under storage root path.', $path)
+                );
+            }
             foreach ($files as $file) {
                 $file = $helper->idDecode($file);
                 /** @var \Magento\Framework\Filesystem $filesystem */
@@ -64,11 +83,13 @@ public function execute()
                     $this->getStorage()->deleteFile($filePath);
                 }
             }
+            
             return $this->resultRawFactory->create();
         } catch (\Exception $e) {
             $result = ['error' => true, 'message' => $e->getMessage()];
             /** @var \Magento\Framework\Controller\Result\Json $resultJson */
             $resultJson = $this->resultJsonFactory->create();
+
             return $resultJson->setData($result);
         }
     }
 
@@ -6,6 +6,11 @@
  */
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
+use Magento\Framework\App\Filesystem\DirectoryList;
+
+/**
+ * Delete image folder.
+ */
 class DeleteFolder extends \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images
 {
     /**
@@ -18,38 +23,55 @@ class DeleteFolder extends \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images
      */
     protected $resultRawFactory;
 
+    /**
+     * @var \Magento\Framework\App\Filesystem\DirectoryResolver
+     */
+    private $directoryResolver;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\Registry $coreRegistry
      * @param \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory
      * @param \Magento\Framework\Controller\Result\RawFactory $resultRawFactory
+     * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\Framework\Registry $coreRegistry,
         \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory,
-        \Magento\Framework\Controller\Result\RawFactory $resultRawFactory
+        \Magento\Framework\Controller\Result\RawFactory $resultRawFactory,
+        \Magento\Framework\App\Filesystem\DirectoryResolver $directoryResolver = null
     ) {
+        parent::__construct($context, $coreRegistry);
         $this->resultRawFactory = $resultRawFactory;
         $this->resultJsonFactory = $resultJsonFactory;
-        parent::__construct($context, $coreRegistry);
+        $this->directoryResolver = $directoryResolver
+            ?: $this->_objectManager->get(\Magento\Framework\App\Filesystem\DirectoryResolver::class);
     }
 
     /**
-     * Delete folder action
+     * Delete folder action.
      *
      * @return \Magento\Framework\Controller\ResultInterface
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function execute()
     {
         try {
             $path = $this->getStorage()->getCmsWysiwygImages()->getCurrentPath();
+            if (!$this->directoryResolver->validatePath($path, DirectoryList::MEDIA)) {
+                throw new \Magento\Framework\Exception\LocalizedException(
+                    __('Directory %1 is not under storage root path.', $path)
+                );
+            }
             $this->getStorage()->deleteDirectory($path);
+            
             return $this->resultRawFactory->create();
         } catch (\Exception $e) {
             $result = ['error' => true, 'message' => $e->getMessage()];
             /** @var \Magento\Framework\Controller\Result\Json $resultJson */
             $resultJson = $this->resultJsonFactory->create();
+
             return $resultJson->setData($result);
         }
     }
 
@@ -6,44 +6,65 @@
  */
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
+use Magento\Framework\App\Filesystem\DirectoryList;
+
+/**
+ * Creates new folder.
+ */
 class NewFolder extends \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images
 {
     /**
      * @var \Magento\Framework\Controller\Result\JsonFactory
      */
     protected $resultJsonFactory;
 
+    /**
+     * @var \Magento\Framework\App\Filesystem\DirectoryResolver
+     */
+    private $directoryResolver;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\Registry $coreRegistry
      * @param \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory
+     * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\Framework\Registry $coreRegistry,
-        \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory
+        \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory,
+        \Magento\Framework\App\Filesystem\DirectoryResolver $directoryResolver = null
     ) {
-        $this->resultJsonFactory = $resultJsonFactory;
         parent::__construct($context, $coreRegistry);
+        $this->resultJsonFactory = $resultJsonFactory;
+        $this->directoryResolver = $directoryResolver
+            ?: $this->_objectManager->get(\Magento\Framework\App\Filesystem\DirectoryResolver::class);
     }
 
     /**
-     * New folder action
+     * New folder action.
      *
      * @return \Magento\Framework\Controller\ResultInterface
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function execute()
     {
         try {
             $this->_initAction();
             $name = $this->getRequest()->getPost('name');
             $path = $this->getStorage()->getSession()->getCurrentPath();
+            if (!$this->directoryResolver->validatePath($path, DirectoryList::MEDIA)) {
+                throw new \Magento\Framework\Exception\LocalizedException(
+                    __('Directory %1 is not under storage root path.', $path)
+                );
+            }
             $result = $this->getStorage()->createDirectory($name, $path);
         } catch (\Exception $e) {
             $result = ['error' => true, 'message' => $e->getMessage()];
         }
         /** @var \Magento\Framework\Controller\Result\Json $resultJson */
         $resultJson = $this->resultJsonFactory->create();
+        
         return $resultJson->setData($result);
     }
 }
@@ -6,43 +6,64 @@
  */
 namespace Magento\Cms\Controller\Adminhtml\Wysiwyg\Images;
 
+use Magento\Framework\App\Filesystem\DirectoryList;
+
+/**
+ * Upload image.
+ */
 class Upload extends \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images
 {
     /**
      * @var \Magento\Framework\Controller\Result\JsonFactory
      */
     protected $resultJsonFactory;
 
+    /**
+     * @var \Magento\Framework\App\Filesystem\DirectoryResolver
+     */
+    private $directoryResolver;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Framework\Registry $coreRegistry
      * @param \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory
+     * @param \Magento\Framework\App\Filesystem\DirectoryResolver|null $directoryResolver
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\Framework\Registry $coreRegistry,
-        \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory
+        \Magento\Framework\Controller\Result\JsonFactory $resultJsonFactory,
+        \Magento\Framework\App\Filesystem\DirectoryResolver $directoryResolver = null
     ) {
-        $this->resultJsonFactory = $resultJsonFactory;
         parent::__construct($context, $coreRegistry);
+        $this->resultJsonFactory = $resultJsonFactory;
+        $this->directoryResolver = $directoryResolver
+            ?: $this->_objectManager->get(\Magento\Framework\App\Filesystem\DirectoryResolver::class);
     }
 
     /**
-     * Files upload processing
+     * Files upload processing.
      *
      * @return \Magento\Framework\Controller\ResultInterface
+     * @throws \Magento\Framework\Exception\LocalizedException
      */
     public function execute()
     {
         try {
             $this->_initAction();
-            $targetPath = $this->getStorage()->getSession()->getCurrentPath();
-            $result = $this->getStorage()->uploadFile($targetPath, $this->getRequest()->getParam('type'));
+            $path = $this->getStorage()->getSession()->getCurrentPath();
+            if (!$this->directoryResolver->validatePath($path, DirectoryList::MEDIA)) {
+                throw new \Magento\Framework\Exception\LocalizedException(
+                    __('Directory %1 is not under storage root path.', $path)
+                );
+            }
+            $result = $this->getStorage()->uploadFile($path, $this->getRequest()->getParam('type'));
         } catch (\Exception $e) {
             $result = ['error' => $e->getMessage(), 'errorcode' => $e->getCode()];
         }
         /** @var \Magento\Framework\Controller\Result\Json $resultJson */
         $resultJson = $this->resultJsonFactory->create();
+        
         return $resultJson->setData($result);
     }
 }
@@ -8,7 +8,9 @@
 use Magento\Framework\App\Filesystem\DirectoryList;
 
 /**
- * Wysiwyg Images Helper
+ * Wysiwyg Images Helper.
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Images extends \Magento\Framework\App\Helper\AbstractHelper
 {
@@ -156,17 +158,23 @@ public function convertPathToId($path)
     }
 
     /**
-     * Decode HTML element id
+     * Decode HTML element id.
      *
      * @param string $id
      * @return string
+     * @throws \InvalidArgumentException When path contains restricted symbols.
      */
     public function convertIdToPath($id)
     {
         if ($id === \Magento\Theme\Helper\Storage::NODE_ROOT) {
             return $this->getStorageRoot();
         } else {
-            return $this->getStorageRoot() . $this->idDecode($id);
+            $path = $this->getStorageRoot() . $this->idDecode($id);
+            if (preg_match('/\.\.(\\\|\/)/', $path)) {
+                throw new \InvalidArgumentException('Path is invalid');
+            }
+
+            return $path;
         }
     }
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,9 @@`
`8`	`8`	`use Magento\Framework\App\Filesystem\DirectoryList;`
`9`	`9`
`10`	`10`	`/**`
`11`		`- * Wysiwyg Images Helper`
	`11`	`+ * Wysiwyg Images Helper.`
	`12`	`+ *`
	`13`	`+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)`
`12`	`14`	`*/`
`13`	`15`	`class Images extends \Magento\Framework\App\Helper\AbstractHelper`
`14`	`16`	`{`
`@@ -156,17 +158,23 @@ public function convertPathToId($path)`
`156`	`158`	`}`
`157`	`159`
`158`	`160`	`/**`
`159`		`- * Decode HTML element id`
	`161`	`+ * Decode HTML element id.`
`160`	`162`	`*`
`161`	`163`	`* @param string $id`
`162`	`164`	`* @return string`
	`165`	`+ * @throws \InvalidArgumentException When path contains restricted symbols.`
`163`	`166`	`*/`
`164`	`167`	`public function convertIdToPath($id)`
`165`	`168`	`{`
`166`	`169`	`if ($id === \Magento\Theme\Helper\Storage::NODE_ROOT) {`
`167`	`170`	`return $this->getStorageRoot();`
`168`	`171`	`} else {`
`169`		`- return $this->getStorageRoot() . $this->idDecode($id);`
	`172`	`+ $path = $this->getStorageRoot() . $this->idDecode($id);`
	`173`	`+ if (preg_match('/\.\.(\\\\|\/)/', $path)) {`
	`174`	`+ throw new \InvalidArgumentException('Path is invalid');`
	`175`	`+ }`
	`176`	`+`
	`177`	`+ return $path;`
`170`	`178`	`}`
`171`	`179`	`}`
`172`	`180`