Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-9p5f-5x8v-x65m
Throw exception on path traversal in WriteDocumentAsync
  • Loading branch information
joshuaboniface committed Apr 23, 2023
2 parents d5a8419 + faac37b commit 82ad263
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs
Expand Up @@ -23,6 +23,11 @@ public async Task<string> WriteDocumentAsync(string clientName, string clientVer
{
var fileName = $"upload_{clientName}_{clientVersion}_{DateTime.UtcNow:yyyyMMddHHmmss}_{Guid.NewGuid():N}.log";
var logFilePath = Path.Combine(_applicationPaths.LogDirectoryPath, fileName);
if (!Path.GetFullPath(logFilePath).StartsWith(_applicationPaths.LogDirectoryPath, StringComparison.Ordinal))
{
throw new ArgumentException("Path resolved to filename not in log directory");
}

await using var fileStream = new FileStream(logFilePath, FileMode.CreateNew, FileAccess.Write, FileShare.None);
await fileContents.CopyToAsync(fileStream).ConfigureAwait(false);
return fileName;
Expand Down

0 comments on commit 82ad263

Please sign in to comment.