From 6327811e6782c837440749aa6b55941d68e1c0bd Mon Sep 17 00:00:00 2001
From: "matthieu.rolland" <matthieu.rolland@prestashop.com>
Date: Tue, 9 May 2023 18:40:53 +0200
Subject: [PATCH] remove images only from dedicated folder and forbid non image
 extensions in image path

---
 .../admin/AdminBlockListingController.php     | 22 +++++++++++++------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/controllers/admin/AdminBlockListingController.php b/controllers/admin/AdminBlockListingController.php
index 930ae2a3..3c46f60e 100644
--- a/controllers/admin/AdminBlockListingController.php
+++ b/controllers/admin/AdminBlockListingController.php
@@ -70,7 +70,7 @@ public function displayAjaxDeleteBlock()
             $result = true;
             // Remove Custom icon
             if (!empty($blockPSR['custom_icon'])) {
-                $filePath = _PS_ROOT_DIR_ . $blockPSR['custom_icon'];
+                $filePath = _PS_ROOT_DIR_ . $this->module->img_path_perso . '/' . basename($blockPSR['custom_icon']);
                 if (file_exists($filePath)) {
                     $result = unlink($filePath);
                 }
@@ -143,6 +143,14 @@ public function displayAjaxSaveBlockContent()
         $type_link = (int) Tools::getValue('typelink');
         $id_cms = Tools::getValue('id_cms');
         $psr_languages = (array) json_decode(Tools::getValue('lang_values'));
+        $authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
+        $authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
+
+        if (!empty($picto) && !in_array(pathinfo($picto, PATHINFO_EXTENSION), $authExtensions)) {
+            $errors[] = Context::getContext()->getTranslator()->trans('Image format not recognized, allowed formats are: .gif, .jpg, .png', [], 'Admin.Notifications.Error');
+
+            return $this->ajaxRenderJson(empty($errors) ? 'success' : 'error');
+        }
 
         $blockPsr = new ReassuranceActivity($id_block);
         if (!$id_block) {
@@ -168,8 +176,6 @@ public function displayAjaxSaveBlockContent()
             $filename = $customImage['name'];
 
             // validateUpload return false if no error (false -> OK)
-            $authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
-            $authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
             if (version_compare(_PS_VERSION_, '1.7.7.0', '>=')) {
                 // PrestaShop 1.7.7.0+
                 $validUpload = ImageManager::validateUpload(
@@ -246,12 +252,13 @@ public function displayAjaxUpdatePosition()
     }
 
     /**
-     * @param $hook
+     * @param string $hook
+     *
      * @return bool
      */
     private function isAuthorizedHookConfigurationKey($hook)
     {
-        return (
+        return
             !empty($hook) &&
             in_array($hook, [
                 blockreassurance::PSR_HOOK_HEADER,
@@ -259,11 +266,12 @@ private function isAuthorizedHookConfigurationKey($hook)
                 blockreassurance::PSR_HOOK_PRODUCT,
                 blockreassurance::PSR_HOOK_CHECKOUT,
             ], true)
-        );
+        ;
     }
 
     /**
-     * @param $value
+     * @param string $value
+     *
      * @return bool
      */
     private function isAuthorizedPositionValue($value)