Merge remote-tracking branch 'origin/v8/dev' into v9/feature/merge_v8_03-11-2021

# Conflicts: # src/Umbraco.Core/Configuration/GlobalSettings.cs # src/Umbraco.Core/Configuration/IGlobalSettings.cs # src/Umbraco.Core/Constants-AppSettings.cs # src/Umbraco.Tests/Umbraco.Tests.csproj # src/Umbraco.Web.BackOffice/Controllers/BackOfficeServerVariables.cs # src/Umbraco.Web.UI/umbraco/config/lang/en.xml # src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml # src/Umbraco.Web.UI/web.Template.config # src/Umbraco.Web/Editors/ContentTypeController.cs # src/Umbraco.Web/HealthCheck/Checks/Security/BaseHttpHeaderCheck.cs # tests/Umbraco.Tests.UnitTests/Umbraco.Core/Configurations/LanguageXmlTests.cs
2021-11-03 08:44:12 +01:00
parent ef4a0f89fa bb323b0286
commit c3ebbe23fd
15 changed files with 327 additions and 44 deletions
--- a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeServerVariables.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeServerVariables.cs
@@ -413,6 +413,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
                        {"showAllowSegmentationForDocumentTypes", false},
                        {"minimumPasswordLength", _memberPasswordConfigurationSettings.RequiredLength},
                        {"minimumPasswordNonAlphaNum", _memberPasswordConfigurationSettings.GetMinNonAlphaNumericChars()},
+                        {"sanitizeTinyMce", _globalSettings.SanitizeTinyMce}
                    }
                },
                {
--- a/src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs
@@ -590,36 +590,44 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers

                var root = _hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempFileUploads);
                var tempPath = Path.Combine(root,fileName);
-
-                using (var stream = System.IO.File.Create(tempPath))
+                if (Path.GetFullPath(tempPath).StartsWith(Path.GetFullPath(root)))
                {
-                    formFile.CopyToAsync(stream).GetAwaiter().GetResult();
-                }
-
-                if (ext.InvariantEquals("udt"))
-                {
-                    model.TempFileName = Path.Combine(root, fileName);
-
-                    var xd = new XmlDocument
+                    using (var stream = System.IO.File.Create(tempPath))
                    {
-                        XmlResolver = null
-                    };
-                    xd.Load(model.TempFileName);
+                        formFile.CopyToAsync(stream).GetAwaiter().GetResult();
+                    }

-                    model.Alias = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Alias")?.FirstChild.Value;
-                    model.Name = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Name")?.FirstChild.Value;
+                    if (ext.InvariantEquals("udt"))
+                    {
+                        model.TempFileName = Path.Combine(root, fileName);
+
+                        var xd = new XmlDocument
+                        {
+                            XmlResolver = null
+                        };
+                        xd.Load(model.TempFileName);
+
+                        model.Alias = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Alias")?.FirstChild.Value;
+                        model.Name = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Name")?.FirstChild.Value;
+                    }
+                    else
+                    {
+                        model.Notifications.Add(new BackOfficeNotification(
+                            _localizedTextService.Localize("speechBubbles","operationFailedHeader"),
+                            _localizedTextService.Localize("media","disallowedFileType"),
+                            NotificationStyle.Warning));
+                    }
                }
                else
                {
                    model.Notifications.Add(new BackOfficeNotification(
-                        _localizedTextService.Localize("speechBubbles","operationFailedHeader"),
-                        _localizedTextService.Localize("media","disallowedFileType"),
+                        _localizedTextService.Localize("speechBubbles", "operationFailedHeader"),
+                        _localizedTextService.Localize("media", "invalidFileName"),
                        NotificationStyle.Warning));
                }
+
            }

-
-
            return model;

        }