From eb5a0dc1c9f121e83ab78bd80fbf03696892e8a1 Mon Sep 17 00:00:00 2001 From: sbwalker Date: Fri, 16 May 2025 08:25:50 -0400 Subject: [PATCH] improve filename validation in module content export --- Oqtane.Client/Modules/Admin/Modules/Export.razor | 9 +++++++-- .../Services/Interfaces/IModuleService.cs | 4 ++-- Oqtane.Client/Services/ModuleService.cs | 4 ++-- Oqtane.Server/Controllers/FileController.cs | 1 - Oqtane.Server/Controllers/ModuleController.cs | 16 ++++++---------- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/Oqtane.Client/Modules/Admin/Modules/Export.razor b/Oqtane.Client/Modules/Admin/Modules/Export.razor index d72ec689..10831a56 100644 --- a/Oqtane.Client/Modules/Admin/Modules/Export.razor +++ b/Oqtane.Client/Modules/Admin/Modules/Export.razor @@ -50,6 +50,11 @@ public override SecurityAccessLevel SecurityAccessLevel => SecurityAccessLevel.Edit; public override string Title => "Export Content"; + protected override void OnInitialized() + { + _filename = Utilities.GetFriendlyUrl(ModuleState.Title); + } + private async Task ExportText() { try @@ -71,8 +76,8 @@ var folderid = _filemanager.GetFolderId(); if (folderid != -1 && !string.IsNullOrEmpty(_filename)) { - var result = await ModuleService.ExportModuleAsync(ModuleState.ModuleId, PageState.Page.PageId, folderid, _filename); - if (result.Success) + var fileid = await ModuleService.ExportModuleAsync(ModuleState.ModuleId, PageState.Page.PageId, folderid, _filename); + if (fileid != -1) { AddModuleMessage(Localizer["Success.Content.Export"], MessageType.Success); } diff --git a/Oqtane.Client/Services/Interfaces/IModuleService.cs b/Oqtane.Client/Services/Interfaces/IModuleService.cs index a2334a20..ea6beab3 100644 --- a/Oqtane.Client/Services/Interfaces/IModuleService.cs +++ b/Oqtane.Client/Services/Interfaces/IModuleService.cs @@ -67,7 +67,7 @@ namespace Oqtane.Services /// /// /// - /// success/failure - Task ExportModuleAsync(int moduleId, int pageId, int folderId, string filename); + /// file id + Task ExportModuleAsync(int moduleId, int pageId, int folderId, string filename); } } diff --git a/Oqtane.Client/Services/ModuleService.cs b/Oqtane.Client/Services/ModuleService.cs index 68d1e4fd..ac093bed 100644 --- a/Oqtane.Client/Services/ModuleService.cs +++ b/Oqtane.Client/Services/ModuleService.cs @@ -51,9 +51,9 @@ namespace Oqtane.Services return await GetStringAsync($"{Apiurl}/export?moduleid={moduleId}&pageid={pageId}"); } - public async Task ExportModuleAsync(int moduleId, int pageId, int folderId, string filename) + public async Task ExportModuleAsync(int moduleId, int pageId, int folderId, string filename) { - return await PostJsonAsync($"{Apiurl}/export?moduleid={moduleId}&pageid={pageId}&folderid={folderId}&filename={filename}", null); + return await PostJsonAsync($"{Apiurl}/export?moduleid={moduleId}&pageid={pageId}&folderid={folderId}&filename={filename}", null); } } } diff --git a/Oqtane.Server/Controllers/FileController.cs b/Oqtane.Server/Controllers/FileController.cs index 7ead95d7..f0b72f22 100644 --- a/Oqtane.Server/Controllers/FileController.cs +++ b/Oqtane.Server/Controllers/FileController.cs @@ -22,7 +22,6 @@ using Microsoft.AspNetCore.Cors; using System.IO.Compression; using Oqtane.Services; using Microsoft.Extensions.Primitives; -using Microsoft.AspNetCore.Http.HttpResults; using Microsoft.Net.Http.Headers; // ReSharper disable StringIndexOfIsCultureSpecific.1 diff --git a/Oqtane.Server/Controllers/ModuleController.cs b/Oqtane.Server/Controllers/ModuleController.cs index 012f2e11..61f69f33 100644 --- a/Oqtane.Server/Controllers/ModuleController.cs +++ b/Oqtane.Server/Controllers/ModuleController.cs @@ -10,9 +10,6 @@ using Oqtane.Repository; using Oqtane.Security; using System.Net; using System.IO; -using System; -using static System.Net.WebRequestMethods; -using System.Net.Http; namespace Oqtane.Controllers { @@ -259,9 +256,9 @@ namespace Oqtane.Controllers // POST api//export?moduleid=x&pageid=y&folderid=z&filename=a [HttpPost("export")] [Authorize(Roles = RoleNames.Registered)] - public Result Export(int moduleid, int pageid, int folderid, string filename) + public int Export(int moduleid, int pageid, int folderid, string filename) { - var result = new Result(false); + var fileid = -1; var module = _modules.GetModule(moduleid); if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, pageid, PermissionNames.Edit) && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Folder, folderid, PermissionNames.Edit) && !string.IsNullOrEmpty(filename)) @@ -278,7 +275,7 @@ namespace Oqtane.Controllers } // create json file - filename = Path.GetFileNameWithoutExtension(filename) + ".json"; + filename = Utilities.GetFriendlyUrl(Path.GetFileNameWithoutExtension(filename)) + ".json"; string filepath = Path.Combine(folderPath, filename); if (System.IO.File.Exists(filepath)) { @@ -298,9 +295,7 @@ namespace Oqtane.Controllers file.Size = (int)new FileInfo(filepath).Length; _files.UpdateFile(file); } - - result.Success = true; - result.Message = filename; + fileid = file.FileId; _logger.Log(LogLevel.Information, this, LogFunction.Read, "Content Exported For Module {ModuleId} To Folder {FolderId}", moduleid, folderid); } @@ -309,7 +304,8 @@ namespace Oqtane.Controllers _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Export Attempt For Module {Module} To Folder {FolderId}", moduleid, folderid); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; } - return result; + + return fileid; } // POST api//import?moduleid=x&pageid=y