Merge pull request #490 from jimspillane/AddFileValidation
Add File Name validation
This commit is contained in:
Shaun Walker
GitHub
commit
f9cdc6d70c
|
|
@ -1,4 +1,5 @@
|
||||||
@namespace Oqtane.Modules.Admin.Files
|
@namespace Oqtane.Modules.Admin.Files
|
||||||
|
@using System.IO
|
||||||
@inherits ModuleBase
|
@inherits ModuleBase
|
||||||
@inject NavigationManager NavigationManager
|
@inject NavigationManager NavigationManager
|
||||||
@inject IFileService FileService
|
@inject IFileService FileService
|
||||||
|
|
@ -70,19 +71,33 @@
|
||||||
|
|
||||||
private async Task Download()
|
private async Task Download()
|
||||||
{
|
{
|
||||||
try
|
if (url == string.Empty || _folderId == -1)
|
||||||
{
|
{
|
||||||
if (url != string.Empty && _folderId != -1)
|
AddModuleMessage("You Must Enter A Url And Select A Folder", MessageType.Warning);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
var filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
|
||||||
|
|
||||||
|
if (!Constants.UploadableFiles.Split(',')
|
||||||
|
.Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
|
||||||
|
{
|
||||||
|
AddModuleMessage("File Could Not Be Downloaded From Url Due To Its File Extension", MessageType.Warning);
|
||||||
|
return ;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!filename.IsPathOrFileValid())
|
||||||
|
{
|
||||||
|
AddModuleMessage("You Must Enter A Url With A Valid File Name", MessageType.Warning);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
{
|
{
|
||||||
await FileService.UploadFileAsync(url, _folderId);
|
await FileService.UploadFileAsync(url, _folderId);
|
||||||
await logger.LogInformation("File Downloaded Successfully From Url {Url}", url);
|
await logger.LogInformation("File Downloaded Successfully From Url {Url}", url);
|
||||||
AddModuleMessage("File Downloaded Successfully From Url", MessageType.Success);
|
AddModuleMessage("File Downloaded Successfully From Url", MessageType.Success);
|
||||||
}
|
}
|
||||||
else
|
|
||||||
{
|
|
||||||
AddModuleMessage("You Must Enter A Url And Select A Folder", MessageType.Warning);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
{
|
{
|
||||||
await logger.LogError(ex, "Error Downloading File From Url {Url} {Error}", url, ex.Message);
|
await logger.LogError(ex, "Error Downloading File From Url {Url} {Error}", url, ex.Message);
|
||||||
|
|
|
||||||
|
|
@ -189,14 +189,37 @@ namespace Oqtane.Controllers
|
||||||
{
|
{
|
||||||
Models.File file = null;
|
Models.File file = null;
|
||||||
Folder folder = _folders.GetFolder(int.Parse(folderid));
|
Folder folder = _folders.GetFolder(int.Parse(folderid));
|
||||||
if (folder != null && _userPermissions.IsAuthorized(User, PermissionNames.Edit, folder.Permissions))
|
|
||||||
|
if (folder == null || !_userPermissions.IsAuthorized(User, PermissionNames.Edit, folder.Permissions))
|
||||||
{
|
{
|
||||||
|
_logger.Log(LogLevel.Error, this, LogFunction.Create,
|
||||||
|
"User Not Authorized To Download File {Url} {FolderId}", url, folderid);
|
||||||
|
HttpContext.Response.StatusCode = 401;
|
||||||
|
return file;
|
||||||
|
}
|
||||||
|
|
||||||
string folderPath = GetFolderPath(folder);
|
string folderPath = GetFolderPath(folder);
|
||||||
CreateDirectory(folderPath);
|
CreateDirectory(folderPath);
|
||||||
|
|
||||||
string filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
|
string filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
|
||||||
// check for allowable file extensions
|
// check for allowable file extensions
|
||||||
if (Constants.UploadableFiles.Split(',').Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
|
if (!Constants.UploadableFiles.Split(',')
|
||||||
|
.Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
|
||||||
{
|
{
|
||||||
|
_logger.Log(LogLevel.Error, this, LogFunction.Create,
|
||||||
|
"File Could Not Be Downloaded From Url Due To Its File Extension {Url}", url);
|
||||||
|
HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
|
||||||
|
return file;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!filename.IsPathOrFileValid())
|
||||||
|
{
|
||||||
|
_logger.Log(LogLevel.Error, this, LogFunction.Create,
|
||||||
|
$"File Could Not Be Downloaded From Url Due To Its File Name Not Allowed {url}");
|
||||||
|
HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
|
||||||
|
return file;
|
||||||
|
}
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
var client = new WebClient();
|
var client = new WebClient();
|
||||||
|
|
@ -208,22 +231,12 @@ namespace Oqtane.Controllers
|
||||||
}
|
}
|
||||||
|
|
||||||
client.DownloadFile(url, targetPath);
|
client.DownloadFile(url, targetPath);
|
||||||
_files.AddFile(CreateFile(filename, folder.FolderId, targetPath));
|
file = _files.AddFile(CreateFile(filename, folder.FolderId, targetPath));
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
_logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url {Url}", url);
|
_logger.Log(LogLevel.Error, this, LogFunction.Create,
|
||||||
}
|
"File Could Not Be Downloaded From Url {Url}", url);
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
_logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url Due To Its File Extension {Url}", url);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Download File {Url} {FolderId}", url, folderid);
|
|
||||||
HttpContext.Response.StatusCode = 401;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return file;
|
return file;
|
||||||
|
|
@ -233,14 +246,24 @@ namespace Oqtane.Controllers
|
||||||
[HttpPost("upload")]
|
[HttpPost("upload")]
|
||||||
public async Task UploadFile(string folder, IFormFile file)
|
public async Task UploadFile(string folder, IFormFile file)
|
||||||
{
|
{
|
||||||
if (file.Length > 0)
|
if (file.Length <= 0)
|
||||||
{
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!file.FileName.IsPathOrFileValid())
|
||||||
|
{
|
||||||
|
HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
string folderPath = "";
|
string folderPath = "";
|
||||||
|
|
||||||
if (int.TryParse(folder, out int folderId))
|
if (int.TryParse(folder, out int folderId))
|
||||||
{
|
{
|
||||||
Folder virtualFolder = _folders.GetFolder(folderId);
|
Folder virtualFolder = _folders.GetFolder(folderId);
|
||||||
if (virtualFolder != null && _userPermissions.IsAuthorized(User, PermissionNames.Edit, virtualFolder.Permissions))
|
if (virtualFolder != null &&
|
||||||
|
_userPermissions.IsAuthorized(User, PermissionNames.Edit, virtualFolder.Permissions))
|
||||||
{
|
{
|
||||||
folderPath = GetFolderPath(virtualFolder);
|
folderPath = GetFolderPath(virtualFolder);
|
||||||
}
|
}
|
||||||
|
|
@ -269,11 +292,11 @@ namespace Oqtane.Controllers
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Upload File {Folder} {File}", folder, file);
|
_logger.Log(LogLevel.Error, this, LogFunction.Create,
|
||||||
|
"User Not Authorized To Upload File {Folder} {File}", folder, file);
|
||||||
HttpContext.Response.StatusCode = 401;
|
HttpContext.Response.StatusCode = 401;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
private async Task<string> MergeFile(string folder, string filename)
|
private async Task<string> MergeFile(string folder, string filename)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user