Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/8.1' into 8.2
Browse files Browse the repository at this point in the history
  • Loading branch information
@dlubitz
dlubitz committed Jan 12, 2024
2 parents d9838cf + 719744f commit 5ad8016
Show file tree
Hide file tree
Showing 8 changed files with 82 additions and 13 deletions.
27 changes: 26 additions & 1 deletion Neos.Media.Browser/Classes/Controller/AssetController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@

use Doctrine\Common\Persistence\Proxy as DoctrineProxy;
use Doctrine\ORM\EntityNotFoundException;
use enshrined\svgSanitize\Sanitizer;
use Neos\Error\Messages\Error;
use Neos\Error\Messages\Message;
use Neos\Flow\Annotations as Flow;
Expand All @@ -35,6 +36,7 @@
use Neos\Media\Domain\Model\AssetCollection;
use Neos\Media\Domain\Model\AssetInterface;
use Neos\Media\Domain\Model\AssetSource\AssetNotFoundExceptionInterface;
use Neos\Media\Domain\Model\AssetSource\AssetProxy\AssetProxyInterface;
use Neos\Media\Domain\Model\AssetSource\AssetProxyRepositoryInterface;
use Neos\Media\Domain\Model\AssetSource\AssetSourceConnectionExceptionInterface;
use Neos\Media\Domain\Model\AssetSource\AssetSourceInterface;
Expand Down Expand Up @@ -372,7 +374,8 @@ public function showAction(string $assetSourceIdentifier, string $assetProxyIden

$this->view->assignMultiple([
'assetProxy' => $assetProxy,
'assetCollections' => $this->assetCollectionRepository->findAll()
'assetCollections' => $this->assetCollectionRepository->findAll(),
'assetContainsMaliciousContent' => $this->checkForMaliciousContent($assetProxy)
]);
} catch (AssetNotFoundExceptionInterface | AssetSourceConnectionExceptionInterface $e) {
$this->view->assign('connectionError', $e);
Expand Down Expand Up @@ -425,6 +428,7 @@ public function editAction(string $assetSourceIdentifier, string $assetProxyIden
'assetCollections' => $this->assetCollectionRepository->findAll(),
'contentPreview' => $contentPreview,
'assetSource' => $assetSource,
'assetContainsMaliciousContent' => $this->checkForMaliciousContent($assetProxy),
'canShowVariants' => ($assetProxy instanceof NeosAssetProxy) && ($assetProxy->getAsset() instanceof VariantSupportInterface)
]);
} catch (AssetNotFoundExceptionInterface | AssetSourceConnectionExceptionInterface $e) {
Expand Down Expand Up @@ -1024,4 +1028,25 @@ private function forwardWithConstraints(string $actionName, string $controllerNa
}
$this->forward($actionName, $controllerName, null, $arguments);
}

private function checkForMaliciousContent(AssetProxyInterface $assetProxy): bool
{
if ($assetProxy->getMediaType() == 'image/svg+xml') {
// @todo: Simplify again when https://github.com/darylldoyle/svg-sanitizer/pull/90 is merged and released.
$previousXmlErrorHandling = libxml_use_internal_errors(true);
$sanitizer = new Sanitizer();

$resource = stream_get_contents($assetProxy->getImportStream());

$sanitizer->sanitize($resource);
libxml_clear_errors();
libxml_use_internal_errors($previousXmlErrorHandling);
$issues = $sanitizer->getXmlIssues();
if ($issues && count($issues) > 0) {
return true;
}
}

return false;
}
}
13 changes: 10 additions & 3 deletions Neos.Media.Browser/Resources/Private/Partials/ContentDefaultPreview.html
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,14 @@
{namespace m=Neos\Media\ViewHelpers}
{namespace neos=Neos\Neos\ViewHelpers}
<div class="neos-preview-image" id="neos-preview-image">
<a href="{assetProxy.originalUri}" target="_blank">
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/>
</a>
<f:if condition="{assetContainsMaliciousContent}">
<f:then>
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/>
</f:then>
<f:else>
<a href="{assetProxy.originalUri}" target="_blank">
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/>
</a>
</f:else>
</f:if>
</div>
14 changes: 13 additions & 1 deletion Neos.Media.Browser/Resources/Private/Templates/Asset/Edit.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,19 @@ <h2>{neos:backend.translate(id: 'connectionError', package: 'Neos.Media.Browser'
</f:if>
<tr>
<th>{neos:backend.translate(id: 'metadata.filename', package: 'Neos.Media.Browser')}</th>
<td><a href="#" target="_blank">{assetProxy.filename}</a></td>
<td>
<f:if condition="{assetContainsMaliciousContent}">
<f:then>
{assetProxy.filename}
<div class="neos-badge neos-badge-important">
{neos:backend.translate(id: 'message.assetContainsMaliciousContent', package: 'Neos.Media.Browser')}
</div>
</f:then>
<f:else>
<a href="{assetProxy.originalUri}" target="_blank">{assetProxy.filename}</a>
</f:else>
</f:if>
</td>
</tr>
<tr>
<th>{neos:backend.translate(id: 'metadata.lastModified', package: 'Neos.Media.Browser')}</th>
Expand Down
27 changes: 23 additions & 4 deletions Neos.Media.Browser/Resources/Private/Templates/Asset/Show.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,19 @@
</f:if>
<tr>
<th>{neos:backend.translate(id: 'metadata.filename', package: 'Neos.Media.Browser')}</th>
<td><a href="{assetProxy.originalUri}" target="_blank">{assetProxy.filename}</a></td>
<td>
<f:if condition="{assetContainsMaliciousContent}">
<f:then>
{assetProxy.filename}
<div class="neos-badge neos-badge-important">
{neos:backend.translate(id: 'message.assetContainsMaliciousContent', package: 'Neos.Media.Browser')}
</div>
</f:then>
<f:else>
<a href="{assetProxy.originalUri}" target="_blank">{assetProxy.filename}</a>
</f:else>
</f:if>
</td>
</tr>
<tr>
<th>{neos:backend.translate(id: 'metadata.lastModified', package: 'Neos.Media.Browser')}</th>
Expand Down Expand Up @@ -85,9 +97,16 @@
<f:section name="ContentImage">
<label>{neos:backend.translate(id: 'preview', package: 'Neos.Media.Browser')}</label>
<div class="neos-preview-image">
<a href="{assetProxy.originalUri}" target="_blank">
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/>
</a>
<f:if condition="{assetContainsMaliciousContent}">
<f:then>
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/>
</f:then>
<f:else>
<a href="{assetProxy.originalUri}" target="_blank">
<img src="{assetProxy.previewUri}" class="img-polaroid" alt="{assetProxy.label}"/>
</a>
</f:else>
</f:if>
</div>
</f:section>

Expand Down
3 changes: 3 additions & 0 deletions Neos.Media.Browser/Resources/Private/Translations/en/Main.xlf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,9 @@
<trans-unit id="message.operationCannotBeUndone" xml:space="preserve">
<source>This operation cannot be undone.</source>
</trans-unit>
<trans-unit id="message.assetContainsMaliciousContent" xml:space="preserve">
<source>This asset might contain malicious content!</source>
</trans-unit>
<trans-unit id="cancel" xml:space="preserve">
<source>Cancel</source>
</trans-unit>
Expand Down
4 changes: 3 additions & 1 deletion Neos.Media.Browser/composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
],
"require": {
"php": "^8.0",
"ext-libxml": "*",
"neos/media": "self.version",
"neos/content-repository": "self.version",
"neos/neos": "self.version",
Expand All @@ -22,7 +23,8 @@
"neos/utility-mediatypes": "*",
"neos/error-messages": "*",
"doctrine/common": "^2.7 || ^3.0",
"doctrine/orm": "^2.6"
"doctrine/orm": "^2.6",
"enshrined/svg-sanitize": "^0.16.0"
},
"autoload": {
"psr-4": {
Expand Down
4 changes: 2 additions & 2 deletions Neos.Neos/Classes/Controller/Module/Management/WorkspacesController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -606,8 +606,8 @@ protected function renderContentChanges(NodeInterface $changedNode)
'diff' => $diffArray
];
}
// The && in belows condition is on purpose as creating a thumbnail for comparison only works if actually
// BOTH are ImageInterface (or NULL).
// The && in belows condition is on purpose as creating a thumbnail for comparison only works if actually
// BOTH are ImageInterface (or NULL).
} elseif (
($originalPropertyValue instanceof ImageInterface || $originalPropertyValue === null)
&& ($changedPropertyValue instanceof ImageInterface || $changedPropertyValue === null)
Expand Down
3 changes: 2 additions & 1 deletion composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@
"neos/party": "*",
"neos/fusion-form": "^1.0 || ^2.0",
"neos/form": "*",
"neos/kickstarter": "~8.2.0"
"neos/kickstarter": "~8.2.0",
"enshrined/svg-sanitize": "^0.16.0"
},
"replace": {
"typo3/typo3cr": "self.version",
Expand Down

0 comments on commit 5ad8016

Please sign in to comment.