Diplomarbeit-Absolventenverein/oqtane.framework
9
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #477 from jimspillane/PathTraversal

Browse Source 
Add File and Path rules
This commit is contained in:
Shaun Walker 2020-05-14 11:55:07 -04:00 committed by GitHub
commit 82429c2545
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Oqtane.Server/Controllers/FolderController.cs
View File

@ -32,7 +32,7 @@ namespace Oqtane.Controllers
public IEnumerable<Folder> Get(string siteid) public IEnumerable<Folder> Get(string siteid)
{ {
List<Folder> folders = new List<Folder>(); List<Folder> folders = new List<Folder>();
foreach(Folder folder in _folders.GetFolders(int.Parse(siteid))) foreach (Folder folder in _folders.GetFolders(int.Parse(siteid)))
{ {
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{ {
@ -84,7 +84,7 @@ namespace Oqtane.Controllers
return null; return null;
} }
} }
// POST api/<controller> // POST api/<controller>
[HttpPost] [HttpPost]
[Authorize(Roles = Constants.RegisteredRole)] [Authorize(Roles = Constants.RegisteredRole)]
@ -103,7 +103,7 @@ namespace Oqtane.Controllers
new Permission(PermissionNames.Edit, Constants.AdminRole, true), new Permission(PermissionNames.Edit, Constants.AdminRole, true),
}.EncodePermissions(); }.EncodePermissions();
} }
if (_userPermissions.IsAuthorized(User,PermissionNames.Edit, permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.Edit, permissions))
{ {
if (FolderPathValid(folder)) if (FolderPathValid(folder))
{ {
@ -214,8 +214,9 @@ namespace Oqtane.Controllers
private bool FolderPathValid(Folder folder) private bool FolderPathValid(Folder folder)
{ {
// prevent folder path traversal and reserved devices // prevent folder path traversal and reserved devices
return (folder.Name.IndexOfAny(@"<>:""/\|?*".ToCharArray()) == -1 && return (folder.Name.IndexOfAny(Constants.InvalidFileNameChars) == -1 &&
!Constants.InvalidFileNameEndingChars.Any(x => folder.Name.EndsWith(x)) &&
!Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper().Split('.')[0])); !Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper().Split('.')[0]));
} }
} }
} }

14
Oqtane.Shared/Shared/Constants.cs
View File

@ -1,4 +1,6 @@
namespace Oqtane.Shared using System;
namespace Oqtane.Shared
{ {
public class Constants public class Constants
{ {
@ -43,6 +45,14 @@
public const string ImageFiles = "jpg,jpeg,jpe,gif,bmp,png"; public const string ImageFiles = "jpg,jpeg,jpe,gif,bmp,png";
public const string UploadableFiles = "jpg,jpeg,jpe,gif,bmp,png,mov,wmv,avi,mp4,mp3,doc,docx,xls,xlsx,ppt,pptx,pdf,txt,zip,nupkg"; public const string UploadableFiles = "jpg,jpeg,jpe,gif,bmp,png,mov,wmv,avi,mp4,mp3,doc,docx,xls,xlsx,ppt,pptx,pdf,txt,zip,nupkg";
public const string ReservedDevices = "CON,NUL,PRN,COM1,COM2,COM3,COM4,COM5,COM6,COM7,COM8,COM9,LPT1,LPT2,LPT3,LPT4,LPT5,LPT6,LPT7,LPT8,LPT9,CONIN$,CONOUT$"; public const string ReservedDevices = "CON,NUL,PRN,,COM0,COM1,COM2,COM3,COM4,COM5,COM6,COM7,COM8,COM9,LPT0,LPT1,LPT2,LPT3,LPT4,LPT5,LPT6,LPT7,LPT8,LPT9,CONIN$,CONOUT$";
public static readonly char[] InvalidFileNameChars =
{
'\"', '<', '>', '|', '\0', (Char) 1, (Char) 2, (Char) 3, (Char) 4, (Char) 5, (Char) 6, (Char) 7, (Char) 8,
(Char) 9, (Char) 10, (Char) 11, (Char) 12, (Char) 13, (Char) 14, (Char) 15, (Char) 16, (Char) 17, (Char) 18,
(Char) 19, (Char) 20, (Char) 21, (Char) 22, (Char) 23, (Char) 24, (Char) 25, (Char) 26, (Char) 27,
(Char) 28, (Char) 29, (Char) 30, (Char) 31, ':', '*', '?', '\\', '/'
};
public static readonly string[] InvalidFileNameEndingChars = { ".", " " };
} }
} }