This repository was archived by the owner on Apr 29, 2019. It is now read-only.
This repository was archived by the owner on Apr 29, 2019. It is now read-only.
Import uploader does not check Content-Disposition header #78
Open
Description
From @EliasZ on November 27, 2017 15:22
Preconditions
Magento 2.2.1 (probably previous versions too, cannot imagine this functionality being removed on purpose)
Steps to reproduce
-
Create a product import CSV with an image URL (which does not have a proper image extension) leading to an image being force downloaded by HTTP headers (for example: https://gist.github.com/brasofilo/2863355 (example gist))
-
Import it
Expected result
- Magento properly checks the headers, downloads the file to the filename given in the headers and then imports it
Actual result
- Magento does not check the headers and downloads the file (for example http://example.com/downloadsomefile becomes something like
/pub/media/import/httpexamplecomdownloadsomefile) - The filename does not have a valid file extension and validation fails resulting in the file not being properly imported
Problem
Magento\CatalogImportExport\Model\Import\Uploader::move() sets $fileName to a stripped version of the URL. Here it should do a Magento\Framework\Filesystem\File\ReadInterface::stat() on the URL to check if the Content-Disposition header is set and a filename is provided.
Copied from original issue: magento/magento2#12455
Metadata
Metadata
Assignees
Labels
No labels