From 1cca18c4d2924d0e68bdc470298995e30a68d1e4 Mon Sep 17 00:00:00 2001 From: Jim Spillane Date: Tue, 12 May 2020 22:38:28 -0400 Subject: [PATCH] Add additional reserved names and characters Added CONIN$,CONOUT$ and characters <>:"/\|?* Added .Split('.')[0] to folder.Name to catch names like CON.txt and allow names like CONTRACT. --- Oqtane.Server/Controllers/FolderController.cs | 5 +++-- Oqtane.Shared/Shared/Constants.cs | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Oqtane.Server/Controllers/FolderController.cs b/Oqtane.Server/Controllers/FolderController.cs index 34c13a1b..b922a105 100644 --- a/Oqtane.Server/Controllers/FolderController.cs +++ b/Oqtane.Server/Controllers/FolderController.cs @@ -214,7 +214,8 @@ namespace Oqtane.Controllers private bool FolderPathValid(Folder folder) { // prevent folder path traversal and reserved devices - return (!folder.Name.Contains("\\") && !folder.Name.Contains("/") && !Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper())); + return (folder.Name.IndexOfAny(@"<>:""/\|?*".ToCharArray()) == -1 && + !Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper().Split('.')[0])); } } -} +} \ No newline at end of file diff --git a/Oqtane.Shared/Shared/Constants.cs b/Oqtane.Shared/Shared/Constants.cs index 30ca2950..192573ee 100644 --- a/Oqtane.Shared/Shared/Constants.cs +++ b/Oqtane.Shared/Shared/Constants.cs @@ -43,6 +43,6 @@ public const string ImageFiles = "jpg,jpeg,jpe,gif,bmp,png"; public const string UploadableFiles = "jpg,jpeg,jpe,gif,bmp,png,mov,wmv,avi,mp4,mp3,doc,docx,xls,xlsx,ppt,pptx,pdf,txt,zip,nupkg"; - public const string ReservedDevices = "CON,NUL,PRN,COM1,COM2,COM3,COM4,COM5,COM6,COM7,COM8,COM9,LPT1,LPT2,LPT3,LPT4,LPT5,LPT6,LPT7,LPT8,LPT9"; + public const string ReservedDevices = "CON,NUL,PRN,COM1,COM2,COM3,COM4,COM5,COM6,COM7,COM8,COM9,LPT1,LPT2,LPT3,LPT4,LPT5,LPT6,LPT7,LPT8,LPT9,CONIN$,CONOUT$"; } }