Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MT8] Add TrimFilePath validation SUPPORT-162 MTC-28799 #2975

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

[MT8] Add TrimFilePath validation SUPPORT-162 MTC-28799 #2975

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
950cb47
Add TrimFilePath validation
Jan 16, 2024
93039a0
Update default config
Jan 16, 2024
5571995
Fix basename displayed in "Edit Entry" and "Edit Page" to match actua…
Jan 16, 2024
6974886
Maintain compatibility
Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 7 additions & 1 deletion lib/MT/CMS/Asset.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use strict;
use warnings;
use Symbol;
use MT::Util
qw( epoch2ts encode_url format_ts relative_date perl_sha1_digest_hex);
qw( epoch2ts encode_url format_ts relative_date perl_sha1_digest_hex trim_path );
use MT::Util::Encode;

my $default_thumbnail_size = 60;
Expand Down Expand Up @@ -530,6 +530,12 @@ sub js_upload_file {
or return $app->error(
$app->json_error( $app->translate("Invalid Request.") ) );

if ( MT->config->TrimFilePath == 2 ) {
my $extra_path = $app->param('extra_path') || '';
return $app->json_error( $app->translate("The upload destination contains an inappropriate whitespace.") )
if $extra_path ne trim_path( $extra_path );
}

# Save as asset
my ( $asset, $bytes ) = _upload_file(
$app,
Expand Down
8 changes: 7 additions & 1 deletion lib/MT/CMS/Blog.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ package MT::CMS::Blog;

use strict;
use warnings;
use MT::Util qw( dirify dir_separator );
use MT::Util qw( dirify dir_separator trim_path );

sub edit {
my $cb = shift;
Expand Down Expand Up @@ -2194,6 +2194,12 @@ sub save_filter {
MT->translate("Please choose a preferred archive type.") )
if ( !$app->param('no_archives_are_active')
&& !$app->param('preferred_archive_type') );

if ( MT->config->TrimFilePath == 2 ) {
my $extra_path = $app->param('extra_path') || '';
return $eh->error( MT->translate('The upload destination contains an inappropriate whitespace.') )
if $extra_path ne trim_path( $extra_path );
}
}
return 1;
}
Expand Down
8 changes: 8 additions & 0 deletions lib/MT/CMS/Category.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ package MT::CMS::Category;

use strict;
use warnings;
use MT::Util qw( trim_path );
use MT::Util::Encode;

sub edit {
Expand Down Expand Up @@ -231,6 +232,13 @@ sub bulk_update {
require JSON;
my $decode = JSON->new->utf8(0);
$objects = $decode->decode($json);

if ( MT->config->TrimFilePath == 2 ) {
foreach my $obj ( @$objects ) {
return $app->json_error( $app->translate("The basenames contains an inappropriate whitespace.") )
if $obj->{basename} ne trim_path($obj->{basename});
}
}
}
else {
$objects = [];
Expand Down
47 changes: 29 additions & 18 deletions lib/MT/CMS/Common.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ package MT::CMS::Common;
use strict;
use warnings;

use MT::Util qw( format_ts relative_date );
use MT::Util qw( format_ts relative_date trim_path );

sub save {
my $app = shift;
Expand Down Expand Up @@ -193,11 +193,16 @@ sub save {
|| ( $cfg_screen eq 'cfg_prefs' ) )
)
{
if ( $values{site_path}
and $values{site_path}
=~ m!^(?:/|[a-zA-Z]:\\|\\\\[a-zA-Z0-9\.]+)! )
{
return $app->errtrans("Invalid request.");
if ( $values{site_path} ) {
if ( $values{site_path} =~ m!^(?:/|[a-zA-Z]:\\|\\\\[a-zA-Z0-9\.]+)! ) {
return $app->errtrans("Invalid request.");
}

if ( MT->config->TrimFilePath == 2
&& $values{site_path} ne trim_path($values{site_path}) )
{
return $app->errtrans("The blog root contains an inappropriate whitespace.");
}
}

if ( $use_absolute
Expand Down Expand Up @@ -263,19 +268,25 @@ sub save {
@$names;
}
}
if ( $values{site_path} and $app->config->BaseSitePath ) {
my $l_path = $app->config->BaseSitePath;
my $s_path = $values{site_path};
unless ( is_within_base_sitepath( $app, $s_path ) ) {
return $app->errtrans(
"The website root directory must be within [_1].",
$l_path );
if ( $values{site_path} ) {
if ( $app->config->BaseSitePath ) {
my $l_path = $app->config->BaseSitePath;
my $s_path = $values{site_path};
unless ( is_within_base_sitepath( $app, $s_path ) ) {
return $app->errtrans(
"The website root directory must be within [_1].",
$l_path );
}
}
unless ( File::Spec->file_name_is_absolute( $values{site_path} ) ) {
return $app->errtrans("Invalid Request.");
}

if ( MT->config->TrimFilePath == 2
&& $values{site_path} ne trim_path( $values{site_path} ) )
{
return $app->errtrans("The website root contains an inappropriate whitespace.");
}
}
if ( $values{site_path}
and not File::Spec->file_name_is_absolute( $values{site_path} ) )
{
return $app->errtrans("Invalid request.");
}
}

Expand Down
6 changes: 6 additions & 0 deletions lib/MT/CMS/ContentData.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,12 @@ sub save {
unpublished_on_year => [qw/MAYBE_STRING/],
}) or return;

if ( MT->config->TrimFilePath == 2 ) {
my $basename = $app->param('identifier');
return $app->error( $app->translate('The identifier contains an inappropriate whitespace.') )
if $basename ne MT::Util::trim_path( $basename );
}

my $blog = $app->blog;
my $cfg = $app->config;
my $param = {};
Expand Down
18 changes: 17 additions & 1 deletion lib/MT/CMS/Entry.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,17 @@ sub edit {
);

$param->{'mode_view_entry'} = 1;
$param->{'basename'} = MT->config->TrimFilePath ? trim_path($obj->basename) : $obj->basename;
if ( MT->config->TrimFilePath == 1 ) {
my $file = MT->publisher->archive_file_for( $obj, $blog, $at );
my $basename = trim_path( $obj->basename );
$basename =~ s/[-_]/\[-_\]/g;
my $basename_re = qr/$basename/;
( $basename ) = $file =~ /(?:.+\/\s*)?(${basename_re})(?:\s*\..*)?$/;
$param->{'basename'} = $basename;
}
else {
$param->{'basename'} = $obj->basename;
}

if ( my $ts = $obj->authored_on ) {
$param->{authored_on_ts} = $ts;
Expand Down Expand Up @@ -1251,6 +1261,12 @@ sub save {
week_number => [qw/MAYBE_STRING/],
}) or return;

if ( MT->config->TrimFilePath == 2 ) {
my $basename = $app->param('basename');
return $app->error( $app->translate('The basename contains an inappropriate whitespace.') )
if $basename ne trim_path( $basename );
}

$app->remove_preview_file;

if ( $app->param('is_power_edit') ) {
Expand Down
2 changes: 1 addition & 1 deletion lib/MT/ContentPublisher.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1924,7 +1924,7 @@ sub _rebuild_content_archive_type {
else {
my $ext = $blog->file_extension;
$file .= '.' . $ext if $ext;
$file = trim_path($file) if MT->config->TrimFilePath;
$file = trim_path($file) if MT->config->TrimFilePath == 1;
}
$cache_file->{$cache_key} = $file;
$file;
Expand Down
6 changes: 6 additions & 0 deletions lib/MT/L10N/ja.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1094,6 +1094,7 @@ use vars qw( @ISA %Lexicon );
'Please select an audio file to upload.' => 'アップロードするオーディオファイルを選択してください。',
'Please select an image to upload.' => 'アップロードする画像を選択してください。',
'Saving object failed: [_1]' => 'オブジェクトを保存できませんでした: [_1]',
'The upload destination contains an inappropriate whitespace.' => 'アップロード先に不適切な空白が含まれています。',
'Transforming image failed: [_1]' => '画像の編集結果を保存できませんでした: [_1]',
'Untitled' => 'タイトルなし',
'Upload Asset' => 'アセットのアップロード',
Expand Down Expand Up @@ -1171,6 +1172,7 @@ use vars qw( @ISA %Lexicon );
'Failed to update [_1]: Some of [_2] were changed after you opened this page.' => 'いくつかの[_2]がすでに更新されていたため、[_1]の更新に失敗しました。',
'Invalid category_set_id: [_1]' => '無効なカテゴリセットIDです: [_1]',
'Manage [_1]' => '[_1]の管理',
'The basenames contains an inappropriate whitespace.' => '出力ファイル名/フォルダ名に不適切な空白が含まれています。',
'The [_1] must be given a name!' => '[_1]には名前が必要です。',
'Tried to update [_1]([_2]), but the object was not found.' => '[_1]([_2])が見つからないため、更新ができません。',
'Your changes have been made (added [_1], edited [_2] and deleted [_3]). <a href="#" onclick="[_4]" class="mt-rebuild">Publish your site</a> to see these changes take effect.' => '変更を保存しました。(追加:[_1]件, 更新:[_2]件, 削除:[_3]件) 変更を有効にするには<a href="#" onclick="[_4]" class="mt-rebuild">再構築</a>をしてください。',
Expand Down Expand Up @@ -1203,8 +1205,10 @@ use vars qw( @ISA %Lexicon );
'Saving snapshot failed: [_1]' => 'スナップショットの保存に失敗しました: [_1]',
'System templates cannot be deleted.' => 'システムテンプレートは削除できません。',
'The Template Name and Output File fields are required.' => 'テンプレートの名前と出力ファイル名は必須です。',
'The blog root contains an inappropriate whitespace.' => 'ブログパスに不適切な空白が含まれています。',
'The blog root directory must be within [_1].' => 'ブログパスは、[_1]以下のディレクトリを指定してください。',
'The selected [_1] has been deleted from the database.' => '選択された[_1]をデータベースから削除しました。',
'The website root contains an inappropriate whitespace.' => 'ウェブサイトパスに不適切な空白が含まれています。',
'The website root directory must be within [_1].' => 'ウェブサイトパスは、[_1]以下のディレクトリを指定してください。',
'Unknown list type' => '不明なタイプです。',
'Web Services Settings' => 'Webサービス設定',
Expand All @@ -1227,6 +1231,7 @@ use vars qw( @ISA %Lexicon );
'One of the content data ([_1]) did not exist' => 'コンテンツデータ (ID: [_1]) が見つかりません',
'Publish error: [_1]' => '再構築エラー: [_1]',
'Removing stats cache failed.' => 'アクセス統計データのキャッシュを削除できませんでした。',
'The identifier contains an inappropriate whitespace.' => '出力ファイル名に不適切な空白が含まれています。',
'The value of [_1] is automatically used as a data label.' => '[_1]の値がデータ識別ラベルとして利用されます',
'Unable to create preview files in this location: [_1]' => 'プレビュー用のファイルをこの場所に作成できませんでした: [_1]',
'Unpublish Contents' => 'コンテンツデータの公開を取り消し',
Expand Down Expand Up @@ -1297,6 +1302,7 @@ use vars qw( @ISA %Lexicon );
'One of the entries ([_1]) did not exist' => '記事(ID:[_1])は存在しませんでした。',
'Removing placement failed: [_1]' => '記事とカテゴリの関連付けを削除できませんでした: [_1]',
'Saving placement failed: [_1]' => '記事とカテゴリの関連付けを設定できませんでした: [_1]',
'The basename contains an inappropriate whitespace.' => '出力ファイル名に不適切な空白が含まれています。',
'This basename has already been used. You should use an unique basename.' => 'ファイル名はすでに使用されています。一意の名前を指定してください。',
'authored on' => '公開日',
'modified on' => '更新日',
Expand Down
2 changes: 1 addition & 1 deletion lib/MT/Template/ContextHandlers.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6237,7 +6237,7 @@ B<Example:>
or return $ctx->error( $builder->errstr );
$file =~ s!/{2,}!/!g;
$file =~ s!(^/|/$)!!g;
$file = trim_path($file) if MT->config->TrimFilePath;
$file = trim_path($file) if MT->config->TrimFilePath == 1;
$file;
}
}
Expand Down
2 changes: 1 addition & 1 deletion lib/MT/Upgrade/Core.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ sub seed_database {

$cfg->set(DisableNotificationPings => 1, 1);
$cfg->set(DefaultSupportedLanguages => 'en_us,ja', 1);
$cfg->set(TrimFilePath => 1, 1);
$cfg->set(TrimFilePath => 2, 1);

$cfg->save_config;

Expand Down