From a6f0f4945fe626288f191df60e8a0c3fab0bf38e Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Fri, 6 Nov 2020 15:05:33 +0200
Subject: [PATCH 1/2] Tightened checks when removing a media file, cleanup

---
 CHANGELOG.md                                          |  4 ++++
 classes/adminbasecontroller.php                       | 11 ++++-------
 classes/admincontroller.php                           |  8 ++------
 .../grav/templates/forms/fields/file/file.html.twig   |  1 -
 4 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47396cb2..8d44190f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@
     * Allow to fallback to `docs:` instead of `readme:`
     * Backported finder/pages navigation from 1.10 (you will still need 1.10 for the fancy Parent Picker)
     * Forward a `sid` to GPM when downloading a premium package
+1. [](#bugfix)
+    * Fixed unused task RemoveMedia, it cannot be used directly anymore
+    * Tightened checks when removing a media file
+    * Removed unused parameter in file field
 
 # v1.9.17
 ## 10/07/2020
diff --git a/classes/adminbasecontroller.php b/classes/adminbasecontroller.php
index e3828a55..88ddd883 100644
--- a/classes/adminbasecontroller.php
+++ b/classes/adminbasecontroller.php
@@ -913,11 +913,11 @@ class AdminBaseController
         $uri       = $this->grav['uri'];
         $blueprint = base64_decode($uri->param('blueprint'));
         $path      = base64_decode($uri->param('path'));
-        $filename  = basename($this->post['filename'] ?? '');
-        $proute    = base64_decode($uri->param('proute'));
+        $route     = base64_decode($uri->param('proute'));
         $type      = $uri->param('type');
         $field     = $uri->param('field');
 
+        $filename  = basename($this->post['filename'] ?? '');
         if ($filename === '') {
            $this->admin->json_response = [
                 'status'  => 'error',
@@ -929,7 +929,7 @@ class AdminBaseController
 
         // Get Blueprint
         if ($type === 'pages' || strpos($blueprint, 'pages/') === 0) {
-            $page = $this->admin->page(true, $proute);
+            $page = $this->admin->page(true, $route);
             if (!$page) {
                 $this->admin->json_response = [
                     'status'  => 'error',
@@ -1039,10 +1039,7 @@ class AdminBaseController
         }
 
         if (null === $filename) {
-            $filename = base64_decode($this->grav['uri']->param('route'));
-            if (!$filename) {
-                $filename = base64_decode($this->route);
-            }
+            throw new \RuntimeException('Admin task RemoveMedia has been disabled.');
         }
 
         $file                  = File::instance($filename);
diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 05b9bfc7..83287166 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1821,14 +1821,10 @@ class AdminController extends AdminBaseController
             return false;
         }
 
-        $filename = !empty($this->post['filename']) ? $this->post['filename'] : null;
+        $filename = !empty($this->post['filename']) ? basename($this->post['filename']) : null;
 
         // Handle bad filenames.
-        if (!Utils::checkFilename($filename)) {
-            $filename = null;
-        }
-
-        if (!$filename) {
+        if (!$filename || !Utils::checkFilename($filename)) {
             $this->admin->json_response = [
                 'status'  => 'error',
                 'message' => $this->admin::translate('PLUGIN_ADMIN.NO_FILE_FOUND')
diff --git a/themes/grav/templates/forms/fields/file/file.html.twig b/themes/grav/templates/forms/fields/file/file.html.twig
index ccc3953c..d30c4e76 100644
--- a/themes/grav/templates/forms/fields/file/file.html.twig
+++ b/themes/grav/templates/forms/fields/file/file.html.twig
@@ -40,7 +40,6 @@
         {% set remove = global.file_task_remove ? global.file_url_remove : uri.addNonce(
             global.file_url_remove ~
             '/media.json' ~
-            '/route' ~ config.system.param_sep ~ base64_encode(global.base_path ~ '/' ~ real_path) ~
             '/task' ~ config.system.param_sep ~ 'removeFileFromBlueprint' ~
             '/proute' ~ config.system.param_sep ~ base64_encode(route) ~
             '/blueprint' ~ config.system.param_sep ~ blueprint ~

From 018940c1bc34ed0fed233309f9ad3b51ea9860ea Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Mon, 30 Nov 2020 17:25:53 +0200
Subject: [PATCH 2/2] Reworked getMedia() field

---
 classes/admincontroller.php | 74 +++++++++++++++++++++++++++----------
 1 file changed, 55 insertions(+), 19 deletions(-)

diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 83287166..980f6e00 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -1566,6 +1566,8 @@ class AdminController extends AdminBaseController
     /**
      * Determines the file types allowed to be uploaded
      *
+     * Used by pagemedia field.
+     *
      * @return bool True if the action was performed.
      */
     protected function taskListmedia()
@@ -1615,33 +1617,65 @@ class AdminController extends AdminBaseController
     }
 
     /**
-     * @return Media
+     * Get page media.
+     *
+     * @return Media|null
      */
-    protected function getMedia()
+    public function getMedia()
     {
-        $this->uri = $this->uri ?? $this->grav['uri'];
-        $uri = $this->uri->post('uri');
-        $order = $this->uri->post('order') ?: null;
-
-        if ($uri) {
-            /** @var UniformResourceLocator $locator */
-            $locator = $this->grav['locator'];
-
-            $media_path = $locator->isStream($uri) ? $uri : null;
-        } else {
-            $page = $this->admin->page(true);
-
-            $media_path = $page ? $page->path() : null;
+        if ($this->view !== 'media') {
+            return null;
         }
-        if ($order) {
+
+        $this->uri = $this->uri ?? $this->grav['uri'];
+        $this->grav['twig']->twig_vars['current_form_data'] = (array)$this->data;
+
+        $field = (string)$this->uri->post('field', '');
+        $order = $this->uri->post('order') ?: null;
+        if (!is_array($order)) {
             $order = array_map('trim', explode(',', $order));
         }
 
-        return $media_path ? new Media($media_path, $order) : null;
+        $page = $this->admin->page($this->route);
+        if (!$page) {
+            return null;
+        }
+
+        $blueprints = $page->blueprints();
+        $settings = $this->getMediaFieldSettings($blueprints, $field);
+        $path = $settings['destination'] ?? $page->path();
+
+        return $path ? new Media($path, $order) : null;
     }
 
     /**
-     * Handles adding a media file to a page
+     * @param Data\Blueprint|null $blueprint
+     * @param string $field
+     * @return array|null
+     */
+    protected function getMediaFieldSettings(?Data\Blueprint $blueprint, string $field): ?array
+    {
+        $schema = $blueprint ? $blueprint->schema() : null;
+        if (!$schema || $field === '') {
+            return null;
+        }
+
+        $settings = is_object($schema) ? (array)$schema->getProperty($field) : null;
+        if (null === $settings) {
+            return null;
+        }
+
+        if (empty($settings['destination']) || \in_array($settings['destination'], ['@self', 'self@', '@self@'], true)) {
+            unset($settings['destination']);
+        }
+
+        return $settings + ['accept' => '*', 'limit' => 1000];
+    }
+
+    /**
+     * Handles adding a media file to a page.
+     *
+     * Used by pagemedia field.
      *
      * @return bool True if the action was performed.
      */
@@ -1801,7 +1835,9 @@ class AdminController extends AdminBaseController
     }
 
     /**
-     * Handles deleting a media file from a page
+     * Handles deleting a media file from a page.
+     *
+     * Used by pagemedia field.
      *
      * @return bool True if the action was performed.
      */