From 2a2c481d3accead2859f22deb06f177c409994d5 Mon Sep 17 00:00:00 2001 From: Sam James Date: Thu, 30 Oct 2025 22:13:28 +0000 Subject: [PATCH 1/2] fix: prevent customer uploads for non file based metadata types --- .../Magento/Customer/Model/FileUploader.php | 6 ++++ .../Test/Unit/Model/FileUploaderTest.php | 30 +++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/app/code/Magento/Customer/Model/FileUploader.php b/app/code/Magento/Customer/Model/FileUploader.php index b086f9125d24e..260f3bb4d940a 100644 --- a/app/code/Magento/Customer/Model/FileUploader.php +++ b/app/code/Magento/Customer/Model/FileUploader.php @@ -83,6 +83,12 @@ public function __construct( */ public function validate() { + if (!in_array($this->attributeMetadata->getFrontendInput(), ['file', 'image'])) { + return [ + __('"%1" is not a valid input to accept file uploads.', $this->attributeMetadata->getFrontendInput()) + ]; + } + $formElement = $this->elementFactory->create( $this->attributeMetadata, null, diff --git a/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php b/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php index edf8481c0f078..95ecde867c486 100644 --- a/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php +++ b/app/code/Magento/Customer/Test/Unit/Model/FileUploaderTest.php @@ -16,6 +16,7 @@ use Magento\Customer\Model\FileUploader; use Magento\Customer\Model\Metadata\ElementFactory; use Magento\Customer\Model\Metadata\Form\Image; +use Magento\Customer\Model\Metadata\Form\Select; use PHPUnit\Framework\MockObject\MockObject; use PHPUnit\Framework\TestCase; @@ -118,10 +119,39 @@ public function testValidate() ->with($this->attributeMetadata, null, CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER) ->willReturn($formElement); + $this->attributeMetadata->expects($this->once()) + ->method('getFrontendInput') + ->willReturn('image'); + $model = $this->getModel(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER, 'customer'); $this->assertTrue($model->validate()); } + public function testValidateInvalidAttributeType() + { + $attributeType = 'select'; + $attributeCode = 'attribute_code'; + $filename = 'filename.ext1'; + + $_FILES = [ + 'customer' => [ + 'name' => [ + $attributeCode => $filename, + ], + ], + ]; + + $this->attributeMetadata->expects($this->exactly(2)) + ->method('getFrontendInput') + ->willReturn($attributeType); + + $model = $this->getModel(CustomerMetadataInterface::ENTITY_TYPE_CUSTOMER, 'customer'); + $expectedErrors = [ + __('"%1" is not a valid input to accept file uploads.', $attributeType) + ]; + $this->assertEquals($expectedErrors, $model->validate()); + } + public function testUpload() { $attributeCode = 'attribute_code'; From 2c836b5156a78f82e9bfe44e12992a9f3535cae5 Mon Sep 17 00:00:00 2001 From: Sam James Date: Thu, 30 Oct 2025 22:33:20 +0000 Subject: [PATCH 2/2] fix: prevent customer uploads for non file based metadata types --- app/code/Magento/Customer/Model/FileUploader.php | 12 ++++++++++-- app/code/Magento/Customer/etc/di.xml | 8 ++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/app/code/Magento/Customer/Model/FileUploader.php b/app/code/Magento/Customer/Model/FileUploader.php index 260f3bb4d940a..83f8e721c10d9 100644 --- a/app/code/Magento/Customer/Model/FileUploader.php +++ b/app/code/Magento/Customer/Model/FileUploader.php @@ -49,6 +49,11 @@ class FileUploader */ private $scope; + /** + * @var string[] + */ + private array $validInputTypes; + /** * @param CustomerMetadataInterface $customerMetadataService * @param AddressMetadataInterface $addressMetadataService @@ -57,6 +62,7 @@ class FileUploader * @param AttributeMetadataInterface $attributeMetadata * @param string $entityTypeCode * @param string $scope + * @param array|null $validInputTypes */ public function __construct( CustomerMetadataInterface $customerMetadataService, @@ -65,7 +71,8 @@ public function __construct( FileProcessorFactory $fileProcessorFactory, AttributeMetadataInterface $attributeMetadata, $entityTypeCode, - $scope + $scope, + ?array $validInputTypes = ['file', 'image'] ) { $this->customerMetadataService = $customerMetadataService; $this->addressMetadataService = $addressMetadataService; @@ -74,6 +81,7 @@ public function __construct( $this->attributeMetadata = $attributeMetadata; $this->entityTypeCode = $entityTypeCode; $this->scope = $scope; + $this->validInputTypes = $validInputTypes; } /** @@ -83,7 +91,7 @@ public function __construct( */ public function validate() { - if (!in_array($this->attributeMetadata->getFrontendInput(), ['file', 'image'])) { + if (!in_array($this->attributeMetadata->getFrontendInput(), $this->validInputTypes)) { return [ __('"%1" is not a valid input to accept file uploads.', $this->attributeMetadata->getFrontendInput()) ]; diff --git a/app/code/Magento/Customer/etc/di.xml b/app/code/Magento/Customer/etc/di.xml index 00a8597d8c364..34f0d5ff30594 100644 --- a/app/code/Magento/Customer/etc/di.xml +++ b/app/code/Magento/Customer/etc/di.xml @@ -598,4 +598,12 @@ customer_grid + + + + file + image + + +