From e04b97beb63320fa8ee73f7d2c99952028ed4765 Mon Sep 17 00:00:00 2001
From: Michail Slabko <mslabko@ebay.com>
Date: Sat, 17 Oct 2015 17:27:39 +0300
Subject: [PATCH] MAGETWO-42123: Potential Exploit with Custom Option File Type

---
 app/code/Magento/Sales/Model/Download.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/code/Magento/Sales/Model/Download.php b/app/code/Magento/Sales/Model/Download.php
index 7fbe3348844..0f2649d7de5 100644
--- a/app/code/Magento/Sales/Model/Download.php
+++ b/app/code/Magento/Sales/Model/Download.php
@@ -33,21 +33,24 @@ class Download
     /**
      * @var string
      */
-    protected $allowedDirectory = DirectoryList::MEDIA;
+    protected $rootDirBasePath;
 
     /**
      * @param \Magento\Framework\Filesystem $filesystem
      * @param \Magento\MediaStorage\Helper\File\Storage\Database $fileStorageDatabase
      * @param \Magento\MediaStorage\Model\File\Storage\DatabaseFactory $storageDatabaseFactory
      * @param \Magento\Framework\App\Response\Http\FileFactory $fileFactory
+     * @param string $rootDirBasePath
      */
     public function __construct(
         \Magento\Framework\Filesystem $filesystem,
         \Magento\MediaStorage\Helper\File\Storage\Database $fileStorageDatabase,
         \Magento\MediaStorage\Model\File\Storage\DatabaseFactory $storageDatabaseFactory,
-        \Magento\Framework\App\Response\Http\FileFactory $fileFactory
+        \Magento\Framework\App\Response\Http\FileFactory $fileFactory,
+        $rootDirBasePath = DirectoryList::MEDIA
     ) {
-        $this->_rootDir = $filesystem->getDirectoryWrite($this->allowedDirectory);
+        $this->rootDirBasePath = $rootDirBasePath;
+        $this->_rootDir = $filesystem->getDirectoryWrite($this->rootDirBasePath);
         $this->_fileStorageDatabase = $fileStorageDatabase;
         $this->_storageDatabaseFactory = $storageDatabaseFactory;
         $this->_fileFactory = $fileFactory;
@@ -68,14 +71,14 @@ class Download
             $relativePath = $info['quote_path'];
             if (!$this->_isCanProcessed($relativePath)) {
                 throw new LocalizedException(
-                    __('Path "%1" is not part of allowed directory "%2"', $relativePath, $this->allowedDirectory)
+                    __('Path "%1" is not part of allowed directory "%2"', $relativePath, $this->rootDirBasePath)
                 );
             }
         }
         $this->_fileFactory->create(
             $info['title'],
             ['value' => $this->_rootDir->getRelativePath($relativePath), 'type' => 'filename'],
-            $this->allowedDirectory
+            $this->rootDirBasePath
         );
     }
 
-- 
GitLab