Import uploader does not check Content-Disposition header

[EliasZ]

Preconditions

Magento 2.2.1 (probably previous versions too, cannot imagine this functionality being removed on purpose)

Steps to reproduce

1. Create a product import CSV with an image URL (which does not have a proper image extension) leading to an image being force downloaded by HTTP headers (for example: https://gist.github.com/brasofilo/2863355 (example gist))

2. Import it

Expected result

1. Magento properly checks the headers, downloads the file to the filename given in the headers and then imports it

Actual result

1. Magento does not check the headers and downloads the file (for example http://example.com/downloadsomefile becomes something like /pub/media/import/httpexamplecomdownloadsomefile)
2. The filename does not have a valid file extension and validation fails resulting in the file not being properly imported

Problem

Magento\CatalogImportExport\Model\Import\Uploader::move() sets $fileName to a stripped version of the URL. Here it should do a Magento\Framework\Filesystem\File\ReadInterface::stat() on the URL to check if the Content-Disposition header is set and a filename is provided.

[magento-engcom-team]

@EliasZ, thank you for your report.
We've created internal ticket(s) MAGETWO-84645 to track progress on the issue.

[PieterCappelle]

Should be fixed. If accepted I'll create backport to 2.2 & 2.1.

[magento-team]

Hi @EliasZ. Thank you for your report.
The issue has been fixed in #12872 by @PieterCappelle in 2.3-develop branch
Related commit(s):

• 8cdf043
• 53292d3

The fix will be available with the upcoming patch release.

[EliasZ]

@PieterCappelle Did you verify this works with URLs sending a header detailing the filename? parse_url doesn't seem to check that.

[piotrekkaminski]

This issue was moved to magento-engcom/import-export-improvements#78