Skip to content

Import uploader does not check Content-Disposition header  #12455

Closed
@EliasZ

Description

@EliasZ

Preconditions

Magento 2.2.1 (probably previous versions too, cannot imagine this functionality being removed on purpose)

Steps to reproduce

  1. Create a product import CSV with an image URL (which does not have a proper image extension) leading to an image being force downloaded by HTTP headers (for example: https://gist.github.com/brasofilo/2863355 (example gist))

  2. Import it

Expected result

  1. Magento properly checks the headers, downloads the file to the filename given in the headers and then imports it

Actual result

  1. Magento does not check the headers and downloads the file (for example http://example.com/downloadsomefile becomes something like /pub/media/import/httpexamplecomdownloadsomefile)
  2. The filename does not have a valid file extension and validation fails resulting in the file not being properly imported

Problem

Magento\CatalogImportExport\Model\Import\Uploader::move() sets $fileName to a stripped version of the URL. Here it should do a Magento\Framework\Filesystem\File\ReadInterface::stat() on the URL to check if the Content-Disposition header is set and a filename is provided.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Component: ImportExportFixed in 2.3.xThe issue has been fixed in 2.3 release lineIssue: Clear DescriptionGate 2 Passed. Manual verification of the issue description passedIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedIssue: Format is validGate 1 Passed. Automatic verification of issue format passedIssue: Ready for WorkGate 4. Acknowledged. Issue is added to backlog and ready for developmentReproduced on 2.1.xThe issue has been reproduced on latest 2.1 releaseReproduced on 2.2.xThe issue has been reproduced on latest 2.2 releaseReproduced on 2.3.xThe issue has been reproduced on latest 2.3 release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions