Skip to content

Commit 2894564

Browse files
authored
[Admin] Translations - use session for file import to prevent path traversal - Merge PR #11498
2 parents fe155c8 + 792352f commit 2894564

File tree

2 files changed

+10
-11
lines changed

2 files changed

+10
-11
lines changed

Diff for: bundles/AdminBundle/Controller/Admin/TranslationController.php

+9-10
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@
2525
use Pimcore\Model\Element;
2626
use Pimcore\Model\Translation;
2727
use Pimcore\Tool;
28+
use Pimcore\Tool\Session;
2829
use Pimcore\Translation\ExportService\Exporter\ExporterInterface;
2930
use Pimcore\Translation\ExportService\ExportServiceInterface;
3031
use Pimcore\Translation\ImportDataExtractor\ImportDataExtractorInterface;
@@ -36,6 +37,7 @@
3637
use Symfony\Component\HttpFoundation\Request;
3738
use Symfony\Component\HttpFoundation\Response;
3839
use Symfony\Component\HttpFoundation\ResponseHeaderBag;
40+
use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
3941
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
4042
use Symfony\Component\Routing\Annotation\Route;
4143
use Symfony\Contracts\Translation\TranslatorInterface;
@@ -61,23 +63,17 @@ public function importAction(Request $request, LocaleServiceInterface $localeSer
6163
$admin = $domain == Translation::DOMAIN_ADMIN;
6264

6365
$dialect = $request->get('csvSettings', null);
64-
$tmpFile = $request->get('importFile');
66+
$session = Session::get('pimcore_importconfig');
67+
$tmpFile = $session->get('translation_import_file');
6568

6669
if ($dialect) {
6770
$dialect = json_decode($dialect);
6871
}
6972

70-
if (!empty($tmpFile)) {
71-
$tmpFile = PIMCORE_SYSTEM_TEMP_DIRECTORY . '/' . $tmpFile;
72-
} else {
73-
$tmpFile = $_FILES['Filedata']['tmp_name'];
74-
}
75-
7673
$this->checkPermission(($admin ? 'admin_' : '') . 'translations');
7774

7875
$merge = $request->get('merge');
79-
80-
$overwrite = $merge ? false : true;
76+
$overwrite = !$merge;
8177

8278
$allowedLanguages = $this->getAdminUser()->getAllowedLanguagesForEditingWebsiteTranslations();
8379
if ($admin) {
@@ -138,6 +134,10 @@ public function uploadImportFileAction(Request $request)
138134
$importFile = PIMCORE_SYSTEM_TEMP_DIRECTORY . '/' . $filename;
139135
File::put($importFile, $tmpData);
140136

137+
Session::useSession(function (AttributeBagInterface $session) use ($importFile) {
138+
$session->set('translation_import_file', $importFile);
139+
}, 'pimcore_importconfig');
140+
141141
// determine csv settings
142142
$dialect = Tool\Admin::determineCsvDialect($importFile);
143143

@@ -149,7 +149,6 @@ public function uploadImportFileAction(Request $request)
149149
return $this->adminJson([
150150
'success' => true,
151151
'config' => [
152-
'tmpFile' => $filename,
153152
'csvSettings' => $dialect,
154153
],
155154
]);

Diff for: bundles/AdminBundle/Resources/public/js/pimcore/settings/translation.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -494,7 +494,7 @@ pimcore.settings.translation.domain = Class.create({
494494
var csvSettings = Ext.encode(this.config.csvSettings);
495495
ImportForm.getForm().submit({
496496
url: this.mergeUrl,
497-
params: {importFile: this.config.tmpFile, csvSettings: csvSettings, domain: this.domain},
497+
params: {csvSettings: csvSettings, domain: this.domain},
498498
waitMsg: t("please_wait"),
499499
success: function (el, response) {
500500
try {

0 commit comments

Comments
 (0)