Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Add File and Path rules

Browse Source 
Apply the file and path naming rules found at 
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file

Mitigate path traversal.
This commit is contained in:
Jim Spillane
2020-05-14 09:53:36 -04:00
parent a9630e715b
commit 8afe8e7474
2 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
Oqtane.Server/Controllers/FolderController.cs
View File

@ -32,7 +32,7 @@ namespace Oqtane.Controllers
public IEnumerable<Folder> Get(string siteid)
{
List<Folder> folders = new List<Folder>();
foreach(Folder folder in _folders.GetFolders(int.Parse(siteid)))
foreach (Folder folder in _folders.GetFolders(int.Parse(siteid)))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{
@ -84,7 +84,7 @@ namespace Oqtane.Controllers
return null;
}
}
// POST api/<controller>
[HttpPost]
[Authorize(Roles = Constants.RegisteredRole)]
@ -103,7 +103,7 @@ namespace Oqtane.Controllers
new Permission(PermissionNames.Edit, Constants.AdminRole, true),
}.EncodePermissions();
}
if (_userPermissions.IsAuthorized(User,PermissionNames.Edit, permissions))
if (_userPermissions.IsAuthorized(User, PermissionNames.Edit, permissions))
{
if (FolderPathValid(folder))
{
@ -214,8 +214,9 @@ namespace Oqtane.Controllers
private bool FolderPathValid(Folder folder)
{
// prevent folder path traversal and reserved devices
return (folder.Name.IndexOfAny(@"<>:""/\|?*".ToCharArray()) == -1 &&
return (folder.Name.IndexOfAny(Constants.InvalidFileNameChars) == -1 &&
!Constants.InvalidFileNameEndingChars.Any(x => folder.Name.EndsWith(x)) &&
!Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper().Split('.')[0]));
}
}
}
}