4系の変更点を5系に取り込みリファクタリング

plugins/baser-core/src/Utility/BcFileUploader.php

@@ -359,6 +359,12 @@ public function saveFile($setting, $file)
     	if(empty($file['tmp_name'])) return false;
         $fileName = $this->getSaveFileName($setting, $file);
         $filePath = $this->savePath . $fileName;
+
+        // .htaccessは保存させない
+        if (preg_match('/\.htaccess$/is', $fileName)) {
+            return false;
+        }
+
         $this->rotateImage($file['tmp_name']);
         if (copy($file['tmp_name'], $filePath)) {
             chmod($filePath, 0666);

plugins/baser-core/src/View/Helper/BcUploadHelper.php

@@ -200,7 +200,7 @@ public function fileLink($fieldName, $entity, $options = [])
                     if (is_array($options['link'])) {
                         $linkOptions = array_merge($linkOptions, $options['link']);
                     }
-                    $out = $this->Html->tag('figure', $this->Html->link(__d('baser_core', 'ダウンロード') . ' ≫', $filePath, $linkOptions) . '<br>' . $this->Html->tag('figcaption', BcUtil::mbBasename($value), $figcaptionOptions), $figureOptions);
+                    $out = $this->Html->tag('figure', $this->Html->link(__d('baser_core', 'ダウンロード') . ' ≫', $filePath, $linkOptions) . '<br>' . $this->Html->tag('figcaption', h(BcUtil::mbBasename($value)), $figcaptionOptions), $figureOptions);
                 }
             } else {
                 $out = $value;

plugins/bc-admin-third/templates/plugin/BcUploader/Admin/element/UploaderFiles/index.php

@@ -47,16 +47,16 @@
 
 <!-- JS用設定値 -->
 <div style="display:none">
-  <div id="ListId"><?php echo $listId ?></div>
-  <div id="LoginUserId"><?php echo \BaserCore\Utility\BcUtil::loginUser()->id ?></div>
-  <div id="LoginUserGroupId"><?php echo \BaserCore\Utility\BcUtil::loginUser()->user_groups[0]->id ?></div>
-  <div id="AdminPrefix" style="display:none;"><?php echo \BaserCore\Utility\BcUtil::getAdminPrefix() ?></div>
-  <div id="UsePermission"><?php echo $uploaderConfigs->use_permission ?></div>
+  <div id="ListId"><?= h($listId) ?></div>
+  <div id="LoginUserId"><?= h(\BaserCore\Utility\BcUtil::loginUser()->id) ?></div>
+  <div id="LoginUserGroupId"><?= h(\BaserCore\Utility\BcUtil::loginUser()->user_groups[0]->id) ?></div>
+  <div id="AdminPrefix" style="display:none;"><?= h(\BaserCore\Utility\BcUtil::getAdminPrefix()) ?></div>
+  <div id="UsePermission"><?= h($uploaderConfigs->use_permission) ?></div>
 </div>
 
 
 <!-- ファイルリスト -->
-<div id="FileList<?php echo $listId ?>" class="file-list"></div>
+<div id="FileList<?php echo h($listId) ?>" class="file-list"></div>
 
 <!-- 編集ダイアログ -->
 <div id="EditDialog" title="<?php echo __d('baser_core', 'ファイル情報編集') ?>">

plugins/bc-admin-third/templates/plugin/BcUploader/Admin/element/UploaderFiles/index_list_panel.php

@@ -42,7 +42,7 @@
               'id' => 'UploaderFileUploaderCategoryId' . $listId
             ]) ?> 
           <?php endif ?>
-          <span id="SpanUploadFile<?php echo $listId ?>">
+          <span id="SpanUploadFile<?= h($listId) ?>">
 				<?php echo $this->BcAdminForm->control('file', [
           'type' => 'file',
           'id' => 'UploaderFileFile' . $listId,

plugins/bc-admin-third/templates/plugin/BcUploader/Admin/element/UploaderFiles/index_list_table.php

@@ -46,7 +46,7 @@
               'style' => 'width:100px'
             ]) ?> 
           <?php endif ?>
-          <span id="SpanUploadFile<?php echo $listId ?>">
+          <span id="SpanUploadFile<?= h($listId) ?>">
             <?php echo $this->BcAdminForm->control('file', [
               'type' => 'file',
               'id' => 'UploaderFileFile' . $listId,
@@ -78,7 +78,7 @@
                 'id' => 'UploaderFileUploaderCategoryId' . $listId
               ]) ?>
             <?php endif ?>
-            <span id="SpanUploadFile<?php echo $listId ?>">
+            <span id="SpanUploadFile<?= h($listId) ?>">
               <?php echo $this->BcAdminForm->control('file', [
                 'type' => 'file',
                 'id' => 'UploaderFileFile' . $listId,

plugins/bc-admin-third/templates/plugin/BcUploader/Admin/element/UploaderFiles/index_row_panel.php

@@ -25,11 +25,10 @@
   $classies = ['publish', 'selectable-file'];
   $statusPublish = true;
 }
-$class = ' class="' . implode(' ', $classies) . ' bca-file-list__item"';
 ?>
 
 
-<span<?php echo $class; ?> id="selectedFile<?php echo $uploaderFile->id ?>" class="uploader-file-row-panel">
+<span class="bca-file-list__item <?= h(implode(' ', $classies)); ?>" id="selectedFile<?= h($uploaderFile->id) ?>" class="uploader-file-row-panel">
 	<?php echo $this->Uploader->file($uploaderFile, [
     'width' => 120,
     'height' => 120,
@@ -39,10 +38,10 @@
   ]) ?>
 	<div class="uploader-file-row-panel__alt">
 		<span class="id">
-		  <?php echo $uploaderFile->id ?></span>.<span><?php echo $this->BcText->truncate(h($uploaderFile->alt), 13) ?>
+		  <?= h($uploaderFile->id) ?></span>.<span><?= h($this->BcText->truncate(h($uploaderFile->alt), 13)) ?>
     </span>
 	</div>
-	<span class="name"><?php echo $uploaderFile->name ?></span>
+	<span class="name"><?= h($uploaderFile->name) ?></span>
 	<div class="uploader-file-row-panel__created">
 		<span class="created" style="white-space: nowrap">
 			[<?php echo __d('baser_core', '公開状態') ?>：<?php echo $this->BcText->booleanMark($statusPublish); ?>]&nbsp;<?php echo $this->BcTime->format($uploaderFile->created, 'Y.m.d') ?>
@@ -57,9 +56,9 @@
 		<span class="midium"><?php echo $uploaderFile->midium ?></span>
 		<span class="large"><?php echo $uploaderFile->large ?></span>
 		<span class="url">
-		  <?php echo $this->BcHtml->Url->build($this->Uploader->getFileUrl($uploaderFile->name)) ?>
+		  <?= h($this->BcHtml->Url->build($this->Uploader->getFileUrl($uploaderFile->name))) ?>
     </span>
-		<span class="user-id"><?php echo $uploaderFile->user_id ?></span>
+		<span class="user-id"><?= h($uploaderFile->user_id) ?></span>
 		<span class="publish-begin">
 		  <?php echo $this->BcTime->format($uploaderFile->publish_begin, 'yyyy/MM/dd') ?>
     </span>
@@ -72,7 +71,7 @@
 		<span class="publish-end-time">
 		  <?php echo $this->BcTime->format($uploaderFile->publish_end, 'HH:mm:ss') ?>
     </span>
-		<span class="uploader-category-id"><?php echo $uploaderFile->uploader_category_id ?></span>
+		<span class="uploader-category-id"><?= h($uploaderFile->uploader_category_id) ?></span>
 		<span class="alt"><?php echo h($uploaderFile->alt) ?></span>
 	</div>
 </span>

plugins/bc-admin-third/templates/plugin/BcUploader/Admin/element/UploaderFiles/index_row_table.php

@@ -27,48 +27,47 @@
   $classies = ['publish', 'selectable-file'];
   $statusPublish = true;
 }
-$class = ' class="' . implode(' ', $classies) . '"';
 ?>
 
 
-<tr<?php echo $class; ?> id="selectedFile<?php echo $uploaderFile->id ?>">
+<tr class="<?= h(implode(' ', $classies)); ?>" id="selectedFile<?= h($uploaderFile->id) ?>">
   <td class="id bca-table-listup__tbody-td">
-    <?php echo $uploaderFile->id ?>
+    <?= h($uploaderFile->id) ?>
     <div style="display:none">
-      <span class="small"><?php echo $uploaderFile->small ?></span>
-      <span class="midium"><?php echo $uploaderFile->midium ?></span>
-      <span class="large"><?php echo $uploaderFile->large ?></span>
+      <span class="small"><?= h($uploaderFile->small) ?></span>
+      <span class="midium"><?= h($uploaderFile->midium) ?></span>
+      <span class="large"><?= h($uploaderFile->large) ?></span>
       <span class="url">
-        <?php echo $this->BcHtml->Url->build($this->Uploader->getFileUrl($uploaderFile->name)) ?>
+        <?= h($this->BcHtml->Url->build($this->Uploader->getFileUrl($uploaderFile->name))) ?>
       </span>
-      <span class="user-id"><?php echo $uploaderFile->user_id ?></span>
-      <span class="name"><?php echo $uploaderFile->name ?></span>
-      <span class="alt"><?php echo h($uploaderFile->alt) ?></span>
+      <span class="user-id"><?= h($uploaderFile->user_id) ?></span>
+      <span class="name"><?= h($uploaderFile->name) ?></span>
+      <span class="alt"><?= h($uploaderFile->alt) ?></span>
     </div>
   </td>
   <td class="img bca-table-listup__tbody-td">
-    <?php echo $this->Uploader->file($uploaderFile, [
+    <?= $this->Uploader->file($uploaderFile, [
       'size' => 'small',
       'alt' => h($uploaderFile->alt),
       'style' => 'width:80px'
     ]) ?>
   </td>
   <td class="bca-table-listup__tbody-td">
     <span class="uploader-category-id">
-      <?php echo $this->BcText->arrayValue($uploaderFile->uploader_category_id, $uploaderCategories) ?>
+      <?= h($this->BcText->arrayValue($uploaderFile->uploader_category_id, $uploaderCategories)) ?>
     </span>
   </td>
   <td class="bca-table-listup__tbody-td">
-    <span><?php echo h($uploaderFile->name) ?></span>
+    <span><?= h($uploaderFile->name) ?></span>
     <?php if ($uploaderFile->alt): ?>
-    <br/><span><?php echo $this->BcText->truncate(h($uploaderFile->alt), 40) ?><span>
+    <br/><span><?= $this->BcText->truncate(h($uploaderFile->alt), 40) ?><span>
     <?php endif ?>
   </td>
   <td class="bc-align-center bca-table-listup__tbody-td">
-    <?php echo $this->BcText->booleanMark($statusPublish); ?>
+    <?= $this->BcText->booleanMark($statusPublish); ?>
   </td>
   <td class="user-name bca-table-listup__tbody-td">
-    <?php echo h($this->BcText->arrayValue($uploaderFile->user_id, $users)) ?>
+    <?= h($this->BcText->arrayValue($uploaderFile->user_id, $users)) ?>
   </td>
   <td class="created bca-table-listup__tbody-td">
     <span class="created"><?php echo $this->BcTime->format($uploaderFile->created, 'Y.m.d') ?></span><br/>

plugins/bc-mail/src/Controller/Admin/MailMessagesController.php

@@ -167,7 +167,14 @@ public function attachment(MailMessagesServiceInterface $service)
         $file = implode('/', $args);
         $service->MailMessages->setup($mailContentId);
         $settings = $service->MailMessages->getBehavior('BcUpload')->getSettings();
-        $filePath = WWW_ROOT . 'files' . DS . $settings['saveDir'] . DS . $file;
+        $basePath = realpath(WWW_ROOT . 'files' . DS . $settings['saveDir']);
+        $filePath = realpath($basePath . DS . $file);
+
+        // basePath配下でない場合は表示しない
+        if (strpos($filePath, $basePath) !== 0) {
+                $this->notFound();
+        }
+
         $ext = BcUtil::decodeContent(null, $file);
         $mineType = 'application/octet-stream';
         if ($ext !== 'gif' && $ext !== 'jpg' && $ext !== 'png') {