Improvements for #2221 - validate file extensions client-side before initiating upload, valid file extension server-side before writing part to disk, optimize cleanup logic, add error handling to JavaScript XMLHttpRequest, ensure FileInput gets initialized after upload

2022-06-04 15:40:26 -04:00 · 2022-06-04 15:40:26 -04:00 · ea5655ae42
commit ea5655ae42
parent 43c34fcd64
4 changed files with 284 additions and 258 deletions
--- a/Oqtane.Client/Modules/Controls/FileManager.razor
+++ b/Oqtane.Client/Modules/Controls/FileManager.razor
@ -310,6 +310,17 @@
 		var interop = new Interop(JSRuntime);
 		var upload = await interop.GetFiles(_fileinputid);
 		if (upload.Length > 0)
+		{
+			string restricted = "";
+			foreach (var file in upload)
+			{
+				var extension = (file.LastIndexOf(".") != -1) ? file.Substring(file.LastIndexOf(".") + 1) : "";
+				if (!Constants.UploadableFiles.Split(',').Contains(extension.ToLower()))
+				{
+					restricted += (restricted == "" ? "" : ",") + extension;
+				}
+			}
+			if (restricted == "")
 			{
 				try
 				{
@ -360,6 +371,12 @@
 				}
 			}
 			else
+			{
+				_message = string.Format(Localizer["Message.File.Restricted"], restricted);
+				_messagetype = MessageType.Warning;
+			}
+		}
+        else
        {
            _message = Localizer["Message.File.NotSelected"];
            _messagetype = MessageType.Warning;
--- a/Oqtane.Client/Resources/Modules/Controls/FileManager.resx
+++ b/Oqtane.Client/Resources/Modules/Controls/FileManager.resx
@ -141,4 +141,7 @@
  <data name="Success.File.Upload" xml:space="preserve">
    <value>File Upload Succeeded</value>
  </data>
+  <data name="Message.File.Restricted" xml:space="preserve">
+    <value>Files With Extension Of {0} Are Restricted From Upload. Please Contact Your Administrator For More Information.</value>
+  </data>
 </root>
--- a/Oqtane.Server/Controllers/FileController.cs
+++ b/Oqtane.Server/Controllers/FileController.cs
@ -276,9 +276,17 @@ namespace Oqtane.Controllers
                return;
            }

-            if (!formfile.FileName.IsPathOrFileValid())
+            // ensure filename is valid
+            string token = ".part_";
+            if (!formfile.FileName.IsPathOrFileValid() || !formfile.FileName.Contains(token))
+            {
+                return;
+            }
+
+            // check for allowable file extensions (ignore token)
+            var extension = Path.GetExtension(formfile.FileName.Substring(0, formfile.FileName.IndexOf(token))).Replace(".", "");
+            if (!Constants.UploadableFiles.Split(',').Contains(extension.ToLower()))
            {
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
                return;
            }

@ -331,9 +339,9 @@ namespace Oqtane.Controllers
        {
            string merged = "";

-            // parse the filename which is in the format of filename.ext.part_x_y
+            // parse the filename which is in the format of filename.ext.part_001_999
            string token = ".part_";
-            string parts = Path.GetExtension(filename)?.Replace(token, ""); // returns "x_y"
+            string parts = Path.GetExtension(filename)?.Replace(token, ""); // returns "001_999"
            int totalparts = int.Parse(parts?.Substring(parts.IndexOf("_") + 1));

            filename = Path.GetFileNameWithoutExtension(filename); // base filename
@ -370,13 +378,6 @@ namespace Oqtane.Controllers
                        System.IO.File.Delete(filepart);
                    }

-                    // check for allowable file extensions
-                    if (!Constants.UploadableFiles.Split(',').Contains(Path.GetExtension(filename)?.ToLower().Replace(".", "")))
-                    {
-                        System.IO.File.Delete(Path.Combine(folder, filename + ".tmp"));
-                    }
-                    else
-                    {
                    // remove file if it already exists
                    if (System.IO.File.Exists(Path.Combine(folder, filename)))
                    {
@ -386,7 +387,6 @@ namespace Oqtane.Controllers
                    // rename file now that the entire process is completed
                    System.IO.File.Move(Path.Combine(folder, filename + ".tmp"), Path.Combine(folder, filename));
                    _logger.Log(LogLevel.Information, this, LogFunction.Create, "File Uploaded {File}", Path.Combine(folder, filename));
-                    }

                    merged = filename;
                }
@ -394,8 +394,7 @@ namespace Oqtane.Controllers

            // clean up file parts which are more than 2 hours old ( which can happen if a prior file upload failed )
            var cleanupFiles = Directory.EnumerateFiles(folder, "*" + token + "*")
-                .Where(f => Path.GetExtension(f).StartsWith(token));
-
+                .Where(f => Path.GetExtension(f).StartsWith(token) && !Path.GetFileName(f).StartsWith(filename));
            foreach (var file in cleanupFiles)
            {
                var createdDate = System.IO.File.GetCreationTime(file).ToUniversalTime();
--- a/Oqtane.Server/wwwroot/js/interop.js
+++ b/Oqtane.Server/wwwroot/js/interop.js
@ -344,10 +344,17 @@ Oqtane.Interop = {
                    progressinfo.innerHTML = file.name + ' 100%';
                    progressbar.value = 1;
                };
+                request.upload.onerror = function () {
+                    progressinfo.innerHTML = file.name + ' Error: ' + xhr.status;
+                    progressbar.value = 0;
+                };
                request.send(data);
            }
-        }
+
+            if (i === files.length - 1) {
                fileinput.value = '';
+            }
+        }
    },
    refreshBrowser: function (reload, wait) {
        setInterval(function () {