Merge branch 'develop'

assets/contenteditor.js

@@ -16,7 +16,7 @@ ContentTools.RESTRICTED_ATTRIBUTES['*'] = []; // allow style attribute on elemen
 
 // Change bold and italic default tags by WCAG2 accessibility guidelines
 ContentTools.Tools.Bold.tagName = 'strong';
-ContentTools.Tools.Bold.Italic = 'em';
+ContentTools.Tools.Italic.tagName = 'em';
 
 /*
 * Save event

http/controllers/ImageController.php

@@ -1,26 +1,23 @@
 <?php namespace Samuell\ContentEditor\Http\Controllers;
 
-use ApplicationException;
-use Exception;
-use Response;
 use File;
 use Input;
+use Response;
+use Exception;
+use ApplicationException;
+use Cms\Classes\MediaLibrary;
 use Illuminate\Routing\Controller;
 use October\Rain\Database\Attach\Resizer;
-use Cms\Classes\MediaLibrary;
-use Cms\Helpers\File as FileHelper;
 use Samuell\ContentEditor\Models\Settings;
-use Samuell\ContentEditor\Http\Middleware\EditorPermissionsMiddleware;
-use October\Rain\Support\Facades\Str;
+use October\Rain\Filesystem\Definitions as FileDefinitions;
 
+/**
+ * ImageController
+ * 
+ * Handle content editor image upload
+ */
 class ImageController extends Controller
 {
-    public function __construct()
-    {
-        $this->middleware('web');
-        $this->middleware(EditorPermissionsMiddleware::class);
-    }
-
     public function upload()
     {
         try {
@@ -31,19 +28,28 @@ public function upload()
             $uploadedFile = Input::file('image');
             $fileName = $uploadedFile->getClientOriginalName();
 
-            // Convert uppcare case file extensions to lower case
+            /*
+             * Convert uppcare case file extensions to lower case
+             */
             $extension = strtolower($uploadedFile->getClientOriginalExtension());
             $fileName = File::name($fileName).'.'.$extension;
 
-            // File name contains non-latin characters, attempt to slug the value
-            if (!FileHelper::validateName($fileName)) {
-                $fileNameSlug = Str::slug(File::name($fileName), '-');
-                $fileName = $fileNameSlug.'.'.$extension;
+            /*
+             * File name contains non-latin characters, attempt to slug the value
+             */
+            if (!$this->validateFileName($fileName)) {
+                $fileNameClean = $this->cleanFileName(File::name($fileName));
+                $fileName = $fileNameClean . '.' . $extension;
             }
+
             if (!$uploadedFile->isValid()) {
                 throw new ApplicationException($uploadedFile->getErrorMessage());
             }
 
+            if (!$this->validateFileType($fileName)) {
+                throw new ApplicationException(Lang::get('backend::lang.media.type_blocked'));
+            }
+
             $path = Settings::get('image_folder', 'contenteditor');
             $path = MediaLibrary::validatePath($path);
 
@@ -126,4 +132,42 @@ public function save()
             ]
         ]);
     }
+
+    /**
+     * Check for blocked / unsafe file extensions
+     *
+     * @param string
+     * @return bool
+     */
+    protected function validateFileType($name)
+    {
+        $extension = strtolower(File::extension($name));
+
+        $allowedFileTypes = FileDefinitions::get('imageExtensions');
+
+        if (!in_array($extension, $allowedFileTypes)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Validate a proposed media item file name.
+     *
+     * @param string
+     * @return bool
+     */
+    protected function validateFileName($name)
+    {
+        if (!preg_match('/^[\w@\.\s_\-]+$/iu', $name)) {
+            return false;
+        }
+
+        if (strpos($name, '..') !== false) {
+            return false;
+        }
+
+        return true;
+    }
 }

http/middleware/EditorPermissionsMiddleware.php

@@ -3,6 +3,11 @@
 use Closure;
 use Backend\Facades\BackendAuth;
 
+/**
+ * EditorPermissionsMiddleware
+ * 
+ * Allow only backend user with editor permission
+ */
 class EditorPermissionsMiddleware
 {
     public function handle($request, Closure $next)

routes.php

@@ -1,8 +1,13 @@
 <?php
 
+use Samuell\ContentEditor\Http\Middleware\EditorPermissionsMiddleware;
+
 Route::group(['prefix' => 'contenteditor'], function () {
-    Route::post('image/upload', 'Samuell\ContentEditor\Http\Controllers\ImageController@upload');
-    Route::post('image/save', 'Samuell\ContentEditor\Http\Controllers\ImageController@save');
+
+    Route::middleware(['web', EditorPermissionsMiddleware::class])->group(function () {
+        Route::post('image/upload', 'Samuell\ContentEditor\Http\Controllers\ImageController@upload');
+        Route::post('image/save', 'Samuell\ContentEditor\Http\Controllers\ImageController@save');
+    });
 
     // Additional styles route
     Route::get('styles', 'Samuell\ContentEditor\Http\Controllers\AdditionalStylesController@render');

updates/version.yaml

@@ -22,7 +22,7 @@
 1.0.8: Fix BackendAuth issue for build 420
 1.0.9: Fix missing fixture in render component
 1.1.0: Fix SELF prefix for fixtures
-1.2.0: 
+1.2.0:
     - Support classes for fixture
     - Fix renderCount if component using other alias name
 1.2.1:
@@ -52,3 +52,6 @@
 1.3.2:
     - Add small tag tool
     - Changed tools b to strong and i to em
+1.3.3:
+    - Allow only image extensions for upload
+    - Fix italic tag name