Merge branch '5.x' into 6.x

jasonvarga · jasonvarga · commit 0db337162009 · 2026-03-17T13:53:52.000-04:00
# Conflicts:
#	CHANGELOG.md
diff --git a/src/Dictionaries/File.php b/src/Dictionaries/File.php
@@ -2,6 +2,7 @@
 
 namespace Statamic\Dictionaries;
 
+use League\Flysystem\PathTraversalDetected;
 use Statamic\Facades\Antlers;
 use Statamic\Facades\YAML;
 
@@ -55,7 +56,13 @@ protected function getItemLabel(array $item): string
 
     protected function getItems(): array
     {
-        $path = resource_path('dictionaries').'/'.$this->config['filename'];
+        $filename = $this->config['filename'];
+
+        if (str_contains($filename, '..')) {
+            throw PathTraversalDetected::forPath($filename);
+        }
+
+        $path = resource_path('dictionaries/'.$filename);
 
         if (! file_exists($path)) {
             throw new \Exception('Dictionary file ['.$path.'] does not exist.');
diff --git a/src/Fieldtypes/Terms.php b/src/Fieldtypes/Terms.php
@@ -245,8 +245,13 @@ public function process($data)
                     $id = $this->createTermFromString($id, $taxonomy);
                 }
 
+                if (! $id) {
+                    return null;
+                }
+
                 return explode('::', $id, 2)[1];
             })
+                ->filter()
                 ->unique()
                 ->values()
                 ->all();
@@ -498,9 +503,15 @@ protected function createTermFromString($string, $taxonomy)
         $slug = Str::slug($string, '-', $lang);
 
         if (! $term = Facades\Term::find("{$taxonomy}::{$slug}")) {
+            $taxonomy = Facades\Taxonomy::findByHandle($taxonomy);
+
+            if (User::current()->cant('create', [TermContract::class, $taxonomy])) {
+                return null;
+            }
+
             $term = Facades\Term::make()
                 ->slug($slug)
-                ->taxonomy(Facades\Taxonomy::findByHandle($taxonomy))
+                ->taxonomy($taxonomy)
                 ->set('title', $string);
 
             $term->save();
diff --git a/tests/Dictionaries/FileTest.php b/tests/Dictionaries/FileTest.php
@@ -2,6 +2,7 @@
 
 namespace Tests\Dictionaries;
 
+use League\Flysystem\PathTraversalDetected;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Dictionaries\File;
@@ -180,4 +181,15 @@ public function it_gets_array_from_value()
             'emoji' => '🍌',
         ], $item->data());
     }
+
+    #[Test]
+    public function path_traversal_not_allowed()
+    {
+        $this->expectException(PathTraversalDetected::class);
+        $this->expectExceptionMessage('Path traversal detected: ../secret.json');
+
+        (new File)
+            ->setConfig(['filename' => '../secret.json'])
+            ->options();
+    }
 }
