Skip to content

Move created packages out of webroot #12114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 9, 2022
Merged

Move created packages out of webroot #12114

merged 2 commits into from
Mar 9, 2022

Conversation

ronaldbarendse
Copy link
Contributor

Prerequisites

  • I have added steps to test this contribution in the description below

Description

PR #11654 already moved the umbraco/Data/Packages/createdPackages.config file into the database, but the new service still saved the actual package.xml/package.zip into the media folder in the webroot (wwwroot/media/created-packages). PR #11783 unintentionally changed this to wwwroot/created-packages (because of the leading slash on the Constants.SystemDirectories.CreatedPackages, making it relative to the webroot).

By saving these files inside the webroot, they are automatically downloadable by everyone (if you can guess the package name). This has always been the case, but because the package manifest can contain sensitive data (author names, dates, unpublished content, source code of templates/views/partial views, etc.), I would argue we simply shouldn't do this.

This PR ensures the created packages are now stored in umbraco/Data/CreatedPackages. If you've already created packages in the backoffice, those won't be moved and can still be downloaded, because the package file path is retrieved from the package manifest:

Umbraco-CMS/src/Umbraco.Web.BackOffice/Controllers/PackageController.cs

Line 138 in 8eb3ef6

return new FileStreamResult(System.IO.File.OpenRead(package.PackagePath), new MediaTypeHeaderValue("application/octet-stream")

To test:

  • Create a few packages before applying this PR (to test the download/save/cleanup later), preferably some with media (as that creates a ZIP instead of XML file)
  • Apply this PR and create additional packages
  • Ensure the existing and newly created packages can all be downloaded
  • Ensure re-saving an existing package will write the file to the new location (and clean up the file in the previous path) and can still be downloaded
  • Ensure that when you add/remove media from a package, either the package.xml or package.zip is created and the previous file is cleaned up

@Zeegaan Zeegaan merged commit 1ac7768 into v9/dev Mar 9, 2022
@Zeegaan Zeegaan deleted the v9/feature/move-created-packages branch March 9, 2022 14:20
@Zeegaan
Copy link
Member

Zeegaan commented Mar 9, 2022

Tested this and it works! 🎉
Code LGTM 👓

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
release/9.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ronaldbarendse @Zeegaan