Comments (13)
I am aware of this issue and having my team take a look.
from magento2.
Hi @pixiemediaweb. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release- For more details, review the Magento Contributor Assistant documentation.
- Add a comment to assign the issue:
@magento I am working on this
- To learn more about issue processing workflow, refer to the Code Contributions.
Join Magento Community Engineering Slack and ask your questions in #github channel.
π You can find the schedule on the Magento Community Calendar page.
π The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.
from magento2.
Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: π
- 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
- 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
- 3. Add
Area: XXXXX
label to the ticket, indicating the functional areas it may be related to. - 4. Verify that the issue is reproducible on
2.4-develop
branchDetails
- Add the comment@magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure.
- If the issue is reproducible on2.4-develop
branch, please, add the labelReproduced on 2.4.x
.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here! - 5. Add label
Issue: Confirmed
once verification is complete. - 6. Make sure that automatic system confirms that report has been added to the backlog.
from magento2.
Hi @pixiemediaweb,
Thank you for reporting and collaboration.
Verified the issue on Magento 2.4-develop instance and the issue is not reproducible.Kindly refer the screenshots.
Steps to reproduce
- Login to Admin
- Go to a CMS page or block
- Click 'insert image'
- If you have any file in the pub/media/* location (even nested folders) that contains a space in the filename, you will not be able to see folder and files in the insert image popup.
We are able to get the folders from pub/media/* location.
Kindly check the issue in Magento 2.4-develop instance and elaborate the steps to reproduce if the issue is still reproducible.
Thanks.
from magento2.
Hi @engcom-Bravo - you need to upload a file in the /pub/media/ directory that has a space in the filename. This needs to be a manual upload as the wywisyg will automatically rename it if you upload from there.
Here is an example of the output you get from bin/magento media-gallery:sync when there is a file with a space in it;
Path "/var/www/dev/pub/media/my image name.jpg" cannot be used with directory "/var/www/dev/pub/media/"
Thanks
from magento2.
Hi @pixiemediaweb,
Thanks for your update.
Verified the issue on Magento 2.4-develop instance and the issue is not reproducible.Kindly refer the screenshots.
We have uploaded a file in the /pub/media/ directory that has a space in the filename and the command bin/magento media-gallery:sync completed successfully.
Kindly check the issue in Magento 2.4-develop instance and elaborate the steps to reproduce if the issue is still reproducible.
Thanks.
from magento2.
Hello @engcom-Bravo and @pixiemediaweb ,
I'm having a similar problem with a file that our custom code generates under var/export for some of our custom reports, as we have the file set up to be named like " - - .xlsx", the spaces around hyphens are triggering it. It's coming from the following preg_match()
call which was added to the frontend of an if check in the validate()
method in the magento/framework's Filesystem/Directory/PathValidator.php
:
if (preg_match('/(?:^-|\s-)/', $path)
|| (
mb_strpos($actualPath, $realDirectoryPath) !== 0
&& rtrim($path, DIRECTORY_SEPARATOR) !== $realDirectoryPath
)
) {
It's the \s-
portion of the preg_match check that is triggering it. This also prevents filenames which start with a hyphen.
Note that the current version of this magento/framework:Filesystem/Directory/PathValidator.php file in the available source code for the 2.4-develop branch does not have this preg_match() function in it. This preg_match() check was not included in the previous release, 2.4.5-p5, but it is showing in the 2.4.5-p6 tagged version: https://github.com/magento/magento2/blob/2.4.5-p6/lib/internal/Magento/Framework/Filesystem/Directory/PathValidator.php. The 2.4.7-beta2 version of the file also does not have it included: https://github.com/magento/magento2/blob/2.4.7-beta2/lib/internal/Magento/Framework/Filesystem/Directory/PathValidator.php, but I guess that's from back in October and we can probably expect the 2.4.7-beta3 coming in a couple of weeks to include it.
It feels like this code is intended as helping to fix CVE-2024-20720 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')), and they are not otherwise referenced in the source, I've been spinning wheels trying to figure out how it got injected into my composer-based sites and it turns out it was packaged that way by Magento.
from magento2.
I think that 2.4-develop does have this in?
I'm seeing the same issue that has appeared on upgrading 2.4.5-p5 to 2.4.5-p6, though we have files with " -" in them, not just space, so have not confirmed the narrower issue.
The effect we're seeing is that file upload does not even show directories:
I can understand that import fails. That seems to be what this validation should be doing:
from magento2.
It looks like it was added in a PR yesterday: a9f88e2#diff-0a86f23a4c8b01db4b820276a15815173b4aa97e8a2f272b9522015150b32551
Prepping for the 2.4.7-beta3 release in a couple weeks, I expect - "Sync 2.4 develop with 2.4.7 beta3 develop".
I have been back and forth on how to handle this but have ended up just changing file names. I'm not in a position where I can argue with an auditor over the exploitability of a CVE if I was to try and adjust that back through a composer patch, and I'm not certain it's tied to that CVE - just my best guess. Would probably be best if this new restriction of file names was mentioned as known issues in the release notes.
I have been using find pub/media -name '* \-*' -print
to look for files which would trigger it and working through adjustments to those.
from magento2.
It is intended that files with certain combinations of dashes and or spaces is not allowed. The case that we are trying to understand is from @pixiemediaweb above which shows the error
Path "/var/www/dev/pub/media/my image name.jpg" cannot be used with directory "/var/www/dev/pub/media/"
We are unable to reproduce a case where only spaces is triggering the error. Can anybody else provide reproduction steps for this specific issue where there are no dashes but you are still getting an error?
from magento2.
Given the lack of response and proof of the use case explained above I'm going to close this ticket. We are going to fix the use case where dashes are not allowed when on their own. For example My File - Version 1.jpg
will be allowed with our fix.
Other combinations are not allowed by design. If anybody is seeing the issue that @pixiemediaweb reported where spaces by themselves are not allowed (e.g. My File.jpg
) please let me know and we can investigate further.
from magento2.
@nathanjosiah @pixiemediaweb @engcom-Bravo
I have encountered this same issue.
after Magento Upgrade from 2.4.6-p3 to 2.4.6-p5
Error : Path "amasty/amfile/attach/custom/upload/Installation Instructions - Rintal Zink Exterior Spiral Stairs.pdf" cannot be used with directory "/home/magento/pub/media/"
Exception in /home/magento/vendor/magento/framework/Filesystem/Directory/PathValidator.php:63
Change in PathValidator.php
-- if (mb_strpos($actualPath, $realDirectoryPath) !== 0
-- && rtrim($path, DIRECTORY_SEPARATOR) !== $realDirectoryPath
++ if (preg_match('/(?:^-|\s-)/', $path)
++ || (
++ mb_strpos($actualPath, $realDirectoryPath) !== 0
++ && rtrim($path, DIRECTORY_SEPARATOR) !== $realDirectoryPath
Please check
from magento2.
It appears that this problem was fixed in Magento 2.4.7-p1, 2.4.6-p6, 2.4.5-p8 and 2.4.4-p9
Maybe @nathanjosiah can confirm this?
from magento2.
Related Issues (20)
- "Add to Cart" button should not be shown if the salable quantity is 0 or less HOT 8
- Content security policy issue with 2.4.7 magento version HOT 7
- Magento Responds with 500 on certain pages if you include the "Accept: text/html" header HOT 11
- Ui Component File Field HOT 10
- [Issue] Add customer_address_id to cartAddressInterface HOT 2
- [Issue] Change status filter to state to allow cancel expired orders with allβ¦
- [Issue] Remove `Array.from` polyfill from PrototypeJS 1.7.3 included in `legacy-build.min.js` HOT 2
- Magento_MediaGalleryApi module sequences doesn't integrate Magento_MediaGallery HOT 3
- OrderGridCollectionFilter Plugin Breaks Mapping for created_at Column HOT 6
- Cannot change intermediate custom status in admin using add comment form HOT 10
- Cache Identifier different in load, save, remove functions HOT 9
- Errors on the Extensions upload on the commercedeveloper.adobe.com HOT 1
- User not able to save the Visibility attribute with the option other than the Catalog, Search HOT 3
- Putting csp_whitelist.xml in theme does not work and creates intermittent issue HOT 1
- Slow processing of attributes with Table source_model HOT 1
- Nonce for Design configuration HOT 1
- [Issue] Insufficient Attribute Error Details During Product Import in Magento 2 HOT 1
- URL Keys and redirects in multi-view stores HOT 6
- Inaccurate doc block comment in Product Stock and Price Alerts HOT 1
- [GraphQL] attributesList.items.is_filterable doesn't return true for Filterable (no results) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from magento2.