kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improve validation in package extraction

Browse Source
This commit is contained in:
sbwalker 2024-05-20 09:33:46 -04:00
parent 73781c7edb
commit 8cd6a72dd3
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Oqtane.Server/Infrastructure/InstallationManager.cs
View File

@ -197,6 +197,12 @@ namespace Oqtane.Infrastructure
string[] segments = entry.FullName.Split('/'); // ZipArchiveEntries always use unix path separator
string filename = Path.Combine(folder, string.Join(Path.DirectorySeparatorChar, segments, ignoreLeadingSegments, segments.Length - ignoreLeadingSegments));
// validate path to prevent path traversal
if (!Path.GetFullPath(filename).StartsWith(folder + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase))
{
return "";
}
try
{
if (!Directory.Exists(Path.GetDirectoryName(filename)))
@ -227,6 +233,7 @@ namespace Oqtane.Infrastructure
// an error occurred extracting the file
filename = "";
}
return filename;
}