Add sanity checks on the asset file (#31710)

Author: wilsonge

administrator/components/com_templates/src/Controller/TemplateController.php

@@ -456,6 +456,12 @@ public function delete()
 			$url = 'index.php?option=com_templates&view=template&id=' . $id . '&file=' . $file;
 			$this->setRedirect(Route::_($url, false));
 		}
+		if (base64_decode(urldecode($file)) == '/joomla.asset.json')
+		{
+			$this->setMessage(Text::_('COM_TEMPLATES_ERROR_ASSET_FILE_DELETE'), 'warning');
+			$url = 'index.php?option=com_templates&view=template&id=' . $id . '&file=' . $file;
+			$this->setRedirect(Route::_($url, false));
+		}
 		elseif ($model->deleteFile($file))
 		{
 			$this->setMessage(Text::_('COM_TEMPLATES_FILE_DELETE_SUCCESS'));
@@ -699,6 +705,12 @@ public function renameFile()
 			$url = 'index.php?option=com_templates&view=template&id=' . $id . '&file=' . $file;
 			$this->setRedirect(Route::_($url, false));
 		}
+		elseif (base64_decode(urldecode($file)) == '/joomla.asset.json')
+		{
+			$this->setMessage(Text::_('COM_TEMPLATES_ERROR_RENAME_ASSET_FILE'), 'warning');
+			$url = 'index.php?option=com_templates&view=template&id=' . $id . '&file=' . $file;
+			$this->setRedirect(Route::_($url, false));
+		}
 		elseif (!preg_match('/^[a-zA-Z0-9-_]+$/', $newName))
 		{
 			$this->setMessage(Text::_('COM_TEMPLATES_INVALID_FILE_NAME'), 'error');

administrator/components/com_templates/src/Model/TemplateModel.php

@@ -1012,6 +1012,14 @@ public function save($data)
 		// Make sure EOL is Unix
 		$data['source'] = str_replace(array("\r\n", "\r"), "\n", $data['source']);
 
+		// If the asset file for the template ensure we have valid template so we don't instantly destroy it
+		if ($fileName === '/joomla.asset.json' && json_decode($data['source']) === null)
+		{
+			$this->setError(Text::_('COM_TEMPLATES_ERROR_ASSET_FILE_INVALID_JSON'));
+
+			return false;
+		}
+
 		$return = File::write($filePath, $data['source']);
 
 		if (!$return)

administrator/language/en-GB/com_templates.ini

@@ -38,6 +38,8 @@ COM_TEMPLATES_COPY_SUCCESS="New template called %s was installed."
 COM_TEMPLATES_CROP_AREA_ERROR="Crop area not selected."
 COM_TEMPLATES_DIRECTORY_NOT_WRITABLE="The template folder is not writable. Some features may not work."
 COM_TEMPLATES_ERR_XML="Template XML data not available"
+COM_TEMPLATES_ERROR_ASSET_FILE_DELETE="The file index.php can't be deleted. Make changes in the editor if you want to change the file."
+COM_TEMPLATES_ERROR_ASSET_FILE_INVALID_JSON="The joomla.asset.json file doesn't not contain valid JSON, aborting save."
 COM_TEMPLATES_ERROR_CANNOT_DELETE_LAST_STYLE="Can't delete the last style of a template."
 COM_TEMPLATES_ERROR_CANNOT_UNSET_DEFAULT_STYLE="Can't unset default style."
 COM_TEMPLATES_ERROR_COULD_NOT_COPY="Unable to copy template files to temporary folder."
@@ -62,6 +64,7 @@ COM_TEMPLATES_ERROR_INVALID_FROM_NAME="Template to copy from can't be found."
 COM_TEMPLATES_ERROR_INVALID_TEMPLATE_NAME="Invalid template name. Please use only letters, numbers, dashes and underscores."
 COM_TEMPLATES_ERROR_NO_FILE_SELECTED="No file selected."
 COM_TEMPLATES_ERROR_RENAME_INDEX="The file index.php can't be renamed."
+COM_TEMPLATES_ERROR_RENAME_ASSET_FILE="The file joomla.asset.json can't be renamed."
 COM_TEMPLATES_ERROR_ROOT_DELETE="The root folder can't be deleted."
 COM_TEMPLATES_ERROR_SAVE_DISABLED_TEMPLATE="Unable to save a style associated to a disabled template."
 COM_TEMPLATES_ERROR_SOURCE_FILE_NOT_FOUND="Source file not found."