merge magento/2.3.6-develop into magento-tsg/2.3.6-develop-pr120

Author: magento-mts-svc

app/code/Magento/Backend/App/AbstractAction.php

@@ -5,9 +5,12 @@
  */
 namespace Magento\Backend\App;
 
+use Magento\Framework\Encryption\Helper\Security;
+
 /**
  * Generic backend controller
  *
+ * phpcs:disable Magento2.Classes.AbstractApi
  * @api
  * @SuppressWarnings(PHPMD.NumberOfChildren)
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -101,6 +104,8 @@ public function __construct(Action\Context $context)
     }
 
     /**
+     * Checking if the user has access to requested component.
+     *
      * @return bool
      */
     protected function _isAllowed()
@@ -119,6 +124,8 @@ protected function _getSession()
     }
 
     /**
+     * Get message manager.
+     *
      * @return \Magento\Framework\Message\ManagerInterface
      */
     protected function getMessageManager()
@@ -146,6 +153,8 @@ protected function _setActiveMenu($itemId)
     }
 
     /**
+     * Prepare breadcrumbs.
+     *
      * @param string $label
      * @param string $title
      * @param string|null $link
@@ -158,6 +167,8 @@ protected function _addBreadcrumb($label, $title, $link = null)
     }
 
     /**
+     * Add content to specified block.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -167,6 +178,8 @@ protected function _addContent(\Magento\Framework\View\Element\AbstractBlock $bl
     }
 
     /**
+     * Move block to left container.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -176,6 +189,8 @@ protected function _addLeft(\Magento\Framework\View\Element\AbstractBlock $block
     }
 
     /**
+     * Add js to specified block.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -200,6 +215,8 @@ private function _moveBlockToContainer(\Magento\Framework\View\Element\AbstractB
     }
 
     /**
+     * Dispatch request.
+     *
      * @param \Magento\Framework\App\RequestInterface $request
      * @return \Magento\Framework\App\ResponseInterface
      */
@@ -286,8 +303,7 @@ public function _processUrlKeys()
     }
 
     /**
-     * Set session locale,
-     * process force locale set through url params
+     * Set session locale, process force locale set through url params.
      *
      * @return $this
      */
@@ -309,8 +325,8 @@ protected function _processLocaleSettings()
      * Set redirect into response
      *
      * @TODO MAGETWO-28356: Refactor controller actions to new ResultInterface
-     * @param   string $path
-     * @param   array $arguments
+     * @param string $path
+     * @param array $arguments
      * @return \Magento\Framework\App\ResponseInterface
      */
     protected function _redirect($path, $arguments = [])
@@ -333,7 +349,7 @@ protected function _redirect($path, $arguments = [])
     protected function _forward($action, $controller = null, $module = null, array $params = null)
     {
         $this->_getSession()->setIsUrlNotice($this->_actionFlag->get('', self::FLAG_IS_URLS_CHECKED));
-        return parent::_forward($action, $controller, $module, $params);
+        parent::_forward($action, $controller, $module, $params);
     }
 
     /**
@@ -360,7 +376,7 @@ protected function _validateSecretKey()
         }
 
         $secretKey = $this->getRequest()->getParam(\Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME, null);
-        if (!$secretKey || $secretKey != $this->_backendUrl->getSecretKey()) {
+        if (!$secretKey || !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {
             return false;
         }
         return true;

app/code/Magento/Customer/Model/Metadata/Form/Image.php

@@ -3,17 +3,33 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+declare(strict_types=1);
+
 namespace Magento\Customer\Model\Metadata\Form;
 
 use Magento\Customer\Api\AddressMetadataInterface;
 use Magento\Customer\Api\CustomerMetadataInterface;
+use Magento\Customer\Api\Data\AttributeMetadataInterface;
 use Magento\Customer\Model\FileProcessor;
+use Magento\Customer\Model\FileProcessorFactory;
 use Magento\Framework\Api\ArrayObjectSearch;
 use Magento\Framework\Api\Data\ImageContentInterface;
 use Magento\Framework\Api\Data\ImageContentInterfaceFactory;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\File\UploaderFactory;
 use Magento\Framework\Filesystem;
+use Magento\Framework\Filesystem\Directory\WriteInterface;
+use Magento\Framework\Filesystem\Io\File as IoFileSystem;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Filesystem\Directory\WriteFactory;
+use Magento\Framework\Locale\ResolverInterface;
+use Magento\Framework\Stdlib\DateTime\TimezoneInterface;
+use Magento\Framework\Url\EncoderInterface;
+use Magento\MediaStorage\Model\File\Validator\NotProtectedExtension;
+use Psr\Log\LoggerInterface;
 
 /**
  * Metadata for form image field
@@ -27,38 +43,55 @@ class Image extends File
      */
     private $imageContentFactory;
 
+    /**
+     * @var IoFileSystem
+     */
+    private $ioFileSystem;
+
+    /**
+     * @var WriteInterface
+     */
+    private $mediaEntityTmpDirectory;
+
     /**
      * Constructor
      *
-     * @param \Magento\Framework\Stdlib\DateTime\TimezoneInterface $localeDate
-     * @param \Psr\Log\LoggerInterface $logger
-     * @param \Magento\Customer\Api\Data\AttributeMetadataInterface $attribute
-     * @param \Magento\Framework\Locale\ResolverInterface $localeResolver
+     * @param TimezoneInterface $localeDate
+     * @param LoggerInterface $logger
+     * @param AttributeMetadataInterface $attribute
+     * @param ResolverInterface $localeResolver
      * @param null|string $value
      * @param string $entityTypeCode
      * @param bool $isAjax
-     * @param \Magento\Framework\Url\EncoderInterface $urlEncoder
-     * @param \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $fileValidator
+     * @param EncoderInterface $urlEncoder
+     * @param NotProtectedExtension $fileValidator
      * @param Filesystem $fileSystem
      * @param UploaderFactory $uploaderFactory
-     * @param \Magento\Customer\Model\FileProcessorFactory|null $fileProcessorFactory
-     * @param \Magento\Framework\Api\Data\ImageContentInterfaceFactory|null $imageContentInterfaceFactory
+     * @param FileProcessorFactory|null $fileProcessorFactory
+     * @param ImageContentInterfaceFactory|null $imageContentInterfaceFactory
+     * @param IoFileSystem|null $ioFileSystem
+     * @param DirectoryList|null $directoryList
+     * @param WriteFactory|null $writeFactory
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
+     * @throws FileSystemException
      */
     public function __construct(
-        \Magento\Framework\Stdlib\DateTime\TimezoneInterface $localeDate,
-        \Psr\Log\LoggerInterface $logger,
-        \Magento\Customer\Api\Data\AttributeMetadataInterface $attribute,
-        \Magento\Framework\Locale\ResolverInterface $localeResolver,
+        TimezoneInterface $localeDate,
+        LoggerInterface $logger,
+        AttributeMetadataInterface $attribute,
+        ResolverInterface $localeResolver,
         $value,
         $entityTypeCode,
         $isAjax,
-        \Magento\Framework\Url\EncoderInterface $urlEncoder,
-        \Magento\MediaStorage\Model\File\Validator\NotProtectedExtension $fileValidator,
+        EncoderInterface $urlEncoder,
+        NotProtectedExtension $fileValidator,
         Filesystem $fileSystem,
         UploaderFactory $uploaderFactory,
-        \Magento\Customer\Model\FileProcessorFactory $fileProcessorFactory = null,
-        \Magento\Framework\Api\Data\ImageContentInterfaceFactory $imageContentInterfaceFactory = null
+        FileProcessorFactory $fileProcessorFactory = null,
+        ImageContentInterfaceFactory $imageContentInterfaceFactory = null,
+        IoFileSystem $ioFileSystem = null,
+        ?DirectoryList $directoryList = null,
+        ?WriteFactory $writeFactory = null
     ) {
         parent::__construct(
             $localeDate,
@@ -75,7 +108,16 @@ public function __construct(
             $fileProcessorFactory
         );
         $this->imageContentFactory = $imageContentInterfaceFactory ?: ObjectManager::getInstance()
-            ->get(\Magento\Framework\Api\Data\ImageContentInterfaceFactory::class);
+            ->get(ImageContentInterfaceFactory::class);
+        $this->ioFileSystem = $ioFileSystem ?: ObjectManager::getInstance()
+            ->get(IoFileSystem::class);
+        $writeFactory = $writeFactory ?? ObjectManager::getInstance()->get(WriteFactory::class);
+        $directoryList = $directoryList ?? ObjectManager::getInstance()->get(DirectoryList::class);
+        $this->mediaEntityTmpDirectory = $writeFactory->create(
+            $directoryList->getPath($directoryList::MEDIA)
+            . '/' . $this->_entityTypeCode
+            . '/' . FileProcessor::TMP_DIR
+        );
     }
 
     /**
@@ -85,6 +127,7 @@ public function __construct(
      *
      * @param array $value
      * @return string[]
+     * @throws LocalizedException
      * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      * @SuppressWarnings(PHPMD.NPathComplexity)
      */
@@ -93,7 +136,11 @@ protected function _validateByRules($value)
         $label = $value['name'];
         $rules = $this->getAttribute()->getValidationRules();
 
-        $imageProp = @getimagesize($value['tmp_name']);
+        try {
+            $imageProp = getimagesize($value['tmp_name']);
+        } catch (\Throwable $e) {
+            $imageProp = false;
+        }
 
         if (!$this->_isUploadedFile($value['tmp_name']) || !$imageProp) {
             return [__('"%1" is not a valid file.', $label)];
@@ -106,9 +153,11 @@ protected function _validateByRules($value)
         }
 
         // modify image name
-        $extension = pathinfo($value['name'], PATHINFO_EXTENSION);
+        $extension = $this->ioFileSystem->getPathInfo($value['name'])['extension'];
         if ($extension != $allowImageTypes[$imageProp[2]]) {
-            $value['name'] = pathinfo($value['name'], PATHINFO_FILENAME) . '.' . $allowImageTypes[$imageProp[2]];
+            $value['name'] = $this->ioFileSystem->getPathInfo($value['name'])['filename']
+                . '.'
+                . $allowImageTypes[$imageProp[2]];
         }
 
         $maxFileSize = ArrayObjectSearch::getArrayElementByName(
@@ -153,6 +202,7 @@ protected function _validateByRules($value)
      *
      * @param array $value
      * @return bool|int|ImageContentInterface|string
+     * @throws LocalizedException
      */
     protected function processUiComponentValue(array $value)
     {
@@ -174,32 +224,43 @@ protected function processUiComponentValue(array $value)
      *
      * @param array $value
      * @return string
+     * @throws LocalizedException
      */
     protected function processCustomerAddressValue(array $value)
     {
-        $result = $this->getFileProcessor()->moveTemporaryFile($value['file']);
-        return $result;
+        $fileName = $this->mediaEntityTmpDirectory
+            ->getDriver()
+            ->getRealPathSafety(
+                $this->mediaEntityTmpDirectory->getAbsolutePath(
+                    ltrim(
+                        $value['file'],
+                        '/'
+                    )
+                )
+            );
+        return $this->getFileProcessor()->moveTemporaryFile(
+            $this->mediaEntityTmpDirectory->getRelativePath($fileName)
+        );
     }
 
     /**
      * Process file uploader UI component data for customer entity
      *
      * @param array $value
      * @return bool|int|ImageContentInterface|string
+     * @throws LocalizedException
      */
     protected function processCustomerValue(array $value)
     {
-        $temporaryFile = FileProcessor::TMP_DIR . '/' . ltrim($value['file'], '/');
-
-        if ($this->getFileProcessor()->isExist($temporaryFile)) {
+        $file = ltrim($value['file'], '/');
+        if ($this->mediaEntityTmpDirectory->isExist($file)) {
+            $temporaryFile = FileProcessor::TMP_DIR . '/' . $file;
             $base64EncodedData = $this->getFileProcessor()->getBase64EncodedData($temporaryFile);
-
             /** @var ImageContentInterface $imageContentDataObject */
             $imageContentDataObject = $this->imageContentFactory->create()
                 ->setName($value['name'])
                 ->setBase64EncodedData($base64EncodedData)
                 ->setType($value['type']);
-
             // Remove temporary file
             $this->getFileProcessor()->removeUploadedFile($temporaryFile);