From 6bcc5f7636b4d8421a0e66924296f76386e5598c Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Fri, 28 Aug 2020 13:38:58 +0300
Subject: [PATCH] Fixed a glitch which allows user to delete entire pages
 directory, Admin 1.10 edition [#1941]

---
 classes/plugin/AdminController.php | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/classes/plugin/AdminController.php b/classes/plugin/AdminController.php
index 5146e410..a6d5bf85 100644
--- a/classes/plugin/AdminController.php
+++ b/classes/plugin/AdminController.php
@@ -1251,6 +1251,11 @@ class AdminController extends AdminBaseController
 
         $data = (array)$this->data;
 
+        $folder = $data['folder'] ?? '';
+        if ($folder === '' || mb_strpos($folder, '/') !== false) {
+            throw new \RuntimeException('Creating folder failed: bad folder name', 400);
+        }
+
         if ($data['route'] === '' || $data['route'] === '/') {
             $path = $this->grav['locator']->findResource('page://');
         } else {
@@ -1264,7 +1269,7 @@ class AdminController extends AdminBaseController
         }
 
         $orderOfNewFolder = static::getNextOrderInFolder($path);
-        $new_path         = $path . '/' . $orderOfNewFolder . '.' . $data['folder'];
+        $new_path         = $path . '/' . $orderOfNewFolder . '.' . $folder;
 
         Folder::create($new_path);
         Cache::clearCache('invalidate');
@@ -1293,6 +1298,11 @@ class AdminController extends AdminBaseController
         /** @var PageInterface $obj */
         $obj = $this->admin->page(true);
 
+        $folder = $data['folder'] ?? null;
+        if ($folder === '' || mb_strpos($folder, '/') !== false) {
+            throw new \RuntimeException('Saving page failed: bad folder name', 400);
+        }
+
         if (!isset($data['folder']) || !$data['folder']) {
             $data['folder'] = $obj->slug();
             $this->data['folder'] = $obj->slug();
@@ -1679,9 +1689,14 @@ class AdminController extends AdminBaseController
             $folder = \Grav\Plugin\Admin\Utils::slug($title) ?: '';
         }
         $folder = ltrim($folder, '_');
+        if ($folder === '' || mb_strpos($folder, '/') !== false) {
+            throw new \RuntimeException('Creating page failed: bad folder name', 400);
+        }
+
         if (!empty($data['modular'])) {
             $folder = '_' . $folder;
         }
+
         $data['folder'] = $folder;
 
         $path = $route . '/' . $folder;