Bug Fix: File Content Should Not be Evaluated by the e Function

mecha-cms · Feb 19, 2020 · bf4cdeb · bf4cdeb
1 parent 2b4076c
commit bf4cdeb
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 32 deletions.
diff --git a/README.md b/README.md
@@ -8,7 +8,8 @@ Release Notes
 
 ### 2.2.0
 
- - **TODO:** AJAX system that allows other JavaScript extensions to listen to the AJAX load event.
+ - **TODO:** AJAX system that allows other JavaScript extensions to listen to the AJAX loading and loaded events.
+ - Fixed bug where users could not save the file content properly due to the automatic string evaluation by the `e` function.
 
 ### 2.1.6
 

diff --git a/panel/engine/r/path/asset.php b/panel/engine/r/path/asset.php
@@ -9,7 +9,7 @@
 
 // You cannot edit or delete your own folder
 if (count($_['chops']) < 3) {
-    if ('g' === $_['task']) {
+    if ('g' === $_['task'] && isset($_['i'])) {
         $_['lot']['desk']['lot']['form']['lot'][1]['lot']['tabs']['lot']['files']['lot']['files']['lot'][$d]['tasks']['g']['url'] = false;
         $_['lot']['desk']['lot']['form']['lot'][1]['lot']['tabs']['lot']['files']['lot']['files']['lot'][$d]['tasks']['l']['url'] = false;
     }
@@ -27,4 +27,4 @@
     }
 }
 
-$GLOBALS['_'] = $_;
+$GLOBALS['_'] = $_;
diff --git a/panel/engine/r/task/g.php b/panel/engine/r/task/g.php
@@ -15,9 +15,10 @@ function data($_, $lot) {
     ]) . $url->hash;
     if ('POST' === $_SERVER['REQUEST_METHOD']) {
         $name = \basename(\To::file(\lcfirst($lot['data']['name'] ?? "")));
-        $content = $lot['data']['content'] ?? "";
         $lot['file']['name'] = "" !== $name ? $name . '.data' : "";
-        $lot['file']['content'] = \is_array($content) ? \json_encode($content) : \s($content);
+        // Use `$_POST['data']['content']` instead of `$lot['data']['content']` just to be sure
+        // that the value will not be evaluated by the `e` function, especially for JSON-like value(s)
+        $lot['file']['content'] = $_POST['data']['content'] ?? "";
         $_ = file($_, $lot); // Move to `file`
         if (empty($_['alert']['error']) && $parent = \glob(\dirname($_['f']) . '.{archive,draft,page}', \GLOB_BRACE | \GLOB_NOSORT)) {
             $_['kick'] = $lot['kick'] ?? $url . $_['/'] . '::g::' . \dirname($_['path']) . '.' . \pathinfo($parent[0], \PATHINFO_EXTENSION) . $e;
@@ -54,7 +55,10 @@ function file($_, $lot) {
             $_['f'] = $f;
         } else {
             if (\array_key_exists('content', $lot['file'] ?? [])) {
-                \file_put_contents($f, $lot['file']['content'] ?? "");
+                // Use `$_POST['file']['content']` instead of `$lot['file']['content']` just to be sure
+                // that the value will not be evaluated by the `e` function, especially for JSON-like value(s)
+                $lot['file']['content'] = $_POST['file']['content'] ?? "";
+                \file_put_contents($f, $lot['file']['content']);
                 if ($name !== $base) {
                     \unlink($_['f']);
                 }
@@ -67,10 +71,10 @@ function file($_, $lot) {
             $_['f'] = $f;
             $_SESSION['_']['file'][\trim($f, \DS)] = 1;
         }
-    }
-    if (!empty($_['alert']['error'])) {
-        unset($lot['token']);
-        $_SESSION['form'] = $lot;
+        if (!empty($_['alert']['error'])) {
+            unset($_POST['token']);
+            $_SESSION['form'] = $_POST;
+        }
     }
     return $_;
 }
@@ -134,10 +138,10 @@ function folder($_, $lot) {
                 $_SESSION['_']['folder'][$v] = 1;
             }
         }
-    }
-    if (!empty($_['alert']['error'])) {
-        unset($lot['token']);
-        $_SESSION['form'] = $lot;
+        if (!empty($_['alert']['error'])) {
+            unset($_POST['token']);
+            $_SESSION['form'] = $_POST;
+        }
     }
     return $_;
 }
@@ -249,10 +253,10 @@ function state($_, $lot) {
             $_ = file($_, $lot);
         }
         $_['kick'] = $lot['kick'] ?? $url . $_['/'] . '::g::' . $_['path'] . $e;
-    }
-    if (!empty($_['alert']['error'])) {
-        unset($lot['token']);
-        $_SESSION['form'] = $lot;
+        if (!empty($_['alert']['error'])) {
+            unset($_POST['token']);
+            $_SESSION['form'] = $_POST;
+        }
     }
     return $_;
 }

diff --git a/panel/engine/r/task/s.php b/panel/engine/r/task/s.php
@@ -80,10 +80,10 @@ function blob($_, $lot) {
                 }
             }
         }
-    }
-    if (!empty($_['alert']['error'])) {
-        unset($lot['token']);
-        $_SESSION['form'] = $lot;
+        if (!empty($_['alert']['error'])) {
+            unset($_POST['token']);
+            $_SESSION['form'] = $_POST;
+        }
     }
     return $_;
 }
@@ -99,7 +99,9 @@ function data($_, $lot) {
     if ('POST' === $_SERVER['REQUEST_METHOD']) {
         $name = \basename(\To::file(\lcfirst($lot['data']['name'] ?? "")));
         $lot['file']['name'] = "" !== $name ? $name . '.data' : "";
-        $lot['file']['content'] = $lot['data']['content'] ?? "";
+        // Use `$_POST['data']['content']` instead of `$lot['data']['content']` just to be sure
+        // that the value will not be evaluated by the `e` function, especially for JSON-like value(s)
+        $lot['file']['content'] = $_POST['data']['content'] ?? "";
         $_ = file($_, $lot); // Move to `file`
         if (empty($_['alert']['error']) && $parent = \glob(\dirname($_['f']) . '.{archive,draft,page}', \GLOB_BRACE | \GLOB_NOSORT)) {
             $_['kick'] = $lot['kick'] ?? $url . $_['/'] . '::g::' . $_['path'] . '.' . \pathinfo($parent[0], \PATHINFO_EXTENSION) . $e;
@@ -136,18 +138,21 @@ function file($_, $lot) {
             $_['f'] = $f;
         } else {
             if (\array_key_exists('content', $lot['file'] ?? [])) {
-                \file_put_contents($f, $lot['file']['content'] ?? "");
+                // Use `$_POST['file']['content']` instead of `$lot['file']['content']` just to be sure
+                // that the value will not be evaluated by the `e` function, especially for JSON-like value(s)
+                $lot['file']['content'] = $_POST['file']['content'] ?? "";
+                \file_put_contents($f, $lot['file']['content']);
             }
             @\chmod($f, \octdec($lot['file']['seal'] ?? '0777'));
             $_['alert']['success'][] = ['File %s successfully created.', '<code>' . \_\lot\x\panel\h\path($f) . '</code>'];
             $_['kick'] = $lot['kick'] ?? $url . $_['/'] . '::g::' . $_['path'] . '/1' . $e;
             $_['f'] = $f;
             $_SESSION['_']['file'][\trim($f, \DS)] = 1;
         }
-    }
-    if (!empty($_['alert']['error'])) {
-        unset($lot['token']);
-        $_SESSION['form'] = $lot;
+        if (!empty($_['alert']['error'])) {
+            unset($_POST['token']);
+            $_SESSION['form'] = $_POST;
+        }
     }
     return $_;
 }
@@ -185,10 +190,10 @@ function folder($_, $lot) {
                 $_SESSION['_']['folder'][$v] = 1;
             }
         }
-    }
-    if (!empty($_['alert']['error'])) {
-        unset($lot['token']);
-        $_SESSION['form'] = $lot;
+        if (!empty($_['alert']['error'])) {
+            unset($_POST['token']);
+            $_SESSION['form'] = $_POST;
+        }
     }
     return $_;
 }