Reintroduce c17728f for Local filesystems

brandonkelly · brandonkelly · commit f372e8b0adc9 · 2023-04-04T00:50:39.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,7 @@
 - Fixed an error that could occur when installing Craft with an existing project config, if any image transforms were defined that didn’t specify the `upscale` property.
 - Fixed a bug where nested folders in asset search results weren’t showing their relative path.
 - Fixed a bug where admin tables’ default delete icon title text wasn’t getting translated. ([#13030](https://github.com/craftcms/cms/issues/13030))
+- Fixed a bug where it was possible to save a Local filesystem pointed at a system directory (e.g. the `templates/` or `vendor/` folders).
 - Fixed XSS vulnerabilities.
 
 ## 4.4.5 - 2023-03-21
diff --git a/src/fs/Local.php b/src/fs/Local.php
@@ -22,6 +22,7 @@
 use Generator;
 use RecursiveDirectoryIterator;
 use RecursiveIteratorIterator;
+use yii\validators\InlineValidator;
 
 /**
  * Local represents a local filesystem.
@@ -106,9 +107,33 @@ protected function defineRules(): array
     {
         $rules = parent::defineRules();
         $rules[] = [['path'], 'required'];
+        $rules[] = [['path'], 'validatePath'];
         return $rules;
     }
 
+    /**
+     * @param string $attribute
+     * @param array|null $params
+     * @param InlineValidator $validator
+     * @return void
+     * @since 4.4.6
+     */
+    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
+    {
+        // Make sure it’s not within any of the system directories
+        $path = FileHelper::absolutePath($this->getRootPath(), '/');
+
+        $systemDirs = Craft::$app->getPath()->getSystemPaths();
+
+        foreach ($systemDirs as $dir) {
+            $dir = FileHelper::absolutePath($dir, '/');
+            if (str_starts_with("$path/", "$dir/")) {
+                $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
+                break;
+            }
+        }
+    }
+
     /**
      * @inheritdoc
      */
diff --git a/src/translations/en/app.php b/src/translations/en/app.php
@@ -850,6 +850,7 @@
     'Loading' => 'Loading',
     'Local Folder' => 'Local Folder',
     'Local copies of remote images, generated thumbnails' => 'Local copies of remote images, generated thumbnails',
+    'Local volumes cannot be located within system directories.' => 'Local volumes cannot be located within system directories.',
     'Localizing relations' => 'Localizing relations',
     'Location' => 'Location',
     'Locations that should be available for previewing entries in this section.' => 'Locations that should be available for previewing entries in this section.',
