validate folder names, handle missing files more gracefully
This commit is contained in:
Shaun Walker
@ -16,6 +16,7 @@ using System.Net;
|
||||
using Oqtane.Enums;
|
||||
using Oqtane.Infrastructure;
|
||||
using Oqtane.Repository;
|
||||
using Microsoft.AspNetCore.Routing.Constraints;
|
||||
|
||||
// ReSharper disable StringIndexOfIsCultureSpecific.1
|
||||
|
||||
@ -396,12 +397,13 @@ namespace Oqtane.Controllers
|
||||
[HttpGet("download/{id}")]
|
||||
public IActionResult Download(int id)
|
||||
{
|
||||
string errorpath = Path.Combine(GetFolderPath("images"), "error.png");
|
||||
Models.File file = _files.GetFile(id);
|
||||
if (file != null)
|
||||
{
|
||||
if (_userPermissions.IsAuthorized(User, PermissionNames.View, file.Folder.Permissions))
|
||||
{
|
||||
string filepath = Path.Combine(GetFolderPath(file.Folder) , file.Name);
|
||||
string filepath = Path.Combine(GetFolderPath(file.Folder), file.Name);
|
||||
if (System.IO.File.Exists(filepath))
|
||||
{
|
||||
byte[] filebytes = System.IO.File.ReadAllBytes(filepath);
|
||||
@ -411,21 +413,24 @@ namespace Oqtane.Controllers
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "File Does Not Exist {FileId} {FilePath}", id, filepath);
|
||||
HttpContext.Response.StatusCode = 404;
|
||||
return null;
|
||||
byte[] filebytes = System.IO.File.ReadAllBytes(errorpath);
|
||||
return File(filebytes, "application/octet-stream", file.Name);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access File {FileId}", id);
|
||||
HttpContext.Response.StatusCode = 401;
|
||||
return null;
|
||||
byte[] filebytes = System.IO.File.ReadAllBytes(errorpath);
|
||||
return File(filebytes, "application/octet-stream", file.Name);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "File Not Found {FileId}", id);
|
||||
HttpContext.Response.StatusCode = 404;
|
||||
return null;
|
||||
byte[] filebytes = System.IO.File.ReadAllBytes(errorpath);
|
||||
return File(filebytes, "application/octet-stream", "error.png");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -10,7 +10,6 @@ using Oqtane.Extensions;
|
||||
using Oqtane.Infrastructure;
|
||||
using Oqtane.Repository;
|
||||
using Oqtane.Security;
|
||||
using System.IO;
|
||||
|
||||
namespace Oqtane.Controllers
|
||||
{
|
||||
@ -106,13 +105,23 @@ namespace Oqtane.Controllers
|
||||
}
|
||||
if (_userPermissions.IsAuthorized(User,PermissionNames.Edit, permissions))
|
||||
{
|
||||
if (string.IsNullOrEmpty(folder.Path) && folder.ParentId != null)
|
||||
if (FolderPathValid(folder))
|
||||
{
|
||||
Folder parent = _folders.GetFolder(folder.ParentId.Value);
|
||||
folder.Path = Utilities.PathCombine(parent.Path, folder.Name,"\\");
|
||||
if (string.IsNullOrEmpty(folder.Path) && folder.ParentId != null)
|
||||
{
|
||||
Folder parent = _folders.GetFolder(folder.ParentId.Value);
|
||||
folder.Path = Utilities.PathCombine(parent.Path, folder.Name);
|
||||
}
|
||||
folder.Path = Utilities.PathCombine(folder.Path, "\\");
|
||||
folder = _folders.AddFolder(folder);
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Added {Folder}", folder);
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Name Not Valid {Folder}", folder);
|
||||
HttpContext.Response.StatusCode = 401;
|
||||
folder = null;
|
||||
}
|
||||
folder = _folders.AddFolder(folder);
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Added {Folder}", folder);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -131,13 +140,23 @@ namespace Oqtane.Controllers
|
||||
{
|
||||
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
|
||||
{
|
||||
if (string.IsNullOrEmpty(folder.Path) && folder.ParentId != null)
|
||||
if (FolderPathValid(folder))
|
||||
{
|
||||
Folder parent = _folders.GetFolder(folder.ParentId.Value);
|
||||
folder.Path = Utilities.PathCombine(parent.Path, folder.Name,"\\");
|
||||
if (string.IsNullOrEmpty(folder.Path) && folder.ParentId != null)
|
||||
{
|
||||
Folder parent = _folders.GetFolder(folder.ParentId.Value);
|
||||
folder.Path = Utilities.PathCombine(parent.Path, folder.Name);
|
||||
}
|
||||
folder.Path = Utilities.PathCombine(folder.Path, "\\");
|
||||
folder = _folders.UpdateFolder(folder);
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Folder Updated {Folder}", folder);
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Name Not Valid {Folder}", folder);
|
||||
HttpContext.Response.StatusCode = 401;
|
||||
folder = null;
|
||||
}
|
||||
folder = _folders.UpdateFolder(folder);
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Folder Updated {Folder}", folder);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -191,5 +210,11 @@ namespace Oqtane.Controllers
|
||||
HttpContext.Response.StatusCode = 401;
|
||||
}
|
||||
}
|
||||
|
||||
private bool FolderPathValid(Folder folder)
|
||||
{
|
||||
// prevent folder path traversal and reserved devices
|
||||
return (!folder.Name.Contains("\\") && !folder.Name.Contains("/") && !Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user