Directory traversal fixes

mguinness · Jul 10, 2021 · 675049b · 675049b
1 parent 8f26907
commit 675049b
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/elFinder.AspNet/Drivers/FileSystem/FileSystemDriver.cs b/elFinder.AspNet/Drivers/FileSystem/FileSystemDriver.cs
@@ -229,6 +229,12 @@ public async Task<ConnectorResult> ExtractAsync(FullPath fullPath, bool newFolde
                         string file = Path.Combine(rootPath, entry.FullName)
                              .Replace("/", separator).Replace("\\", separator);
 
+                        string destPath = Path.GetFullPath(file);
+                        if (!destPath.StartsWith(rootPath, StringComparison.OrdinalIgnoreCase))
+                        {
+                            throw new NotSupportedException($"Entry '{entry.FullName}' is outside of the destination directory.");
+                        }
+
                         if (file.EndsWith(separator)) //directory
                         {
                             var dir = new FileSystemDirectory(file);
@@ -636,12 +642,22 @@ public async Task<ConnectorResult> RenameAsync(FullPath path, string name)
             if (path.IsDirectory)
             {
                 var newPath = new FileSystemDirectory(Path.Combine(path.Directory.Parent.FullName, name));
+                string destPath = Path.GetFullPath(newPath.FullName);
+                if (!destPath.StartsWith(path.RootVolume.RootDirectory, StringComparison.OrdinalIgnoreCase))
+                {
+                    throw new NotSupportedException($"Entry '{name}' is outside of the home directory.");
+                }
                 Directory.Move(path.Directory.FullName, newPath.FullName);
                 response.Added.Add(await BaseModel.CreateAsync(newPath, path.RootVolume));
             }
             else
             {
                 var newPath = new FileSystemFile(Path.Combine(path.File.DirectoryName, name));
+                string destPath = Path.GetFullPath(newPath.FullName);
+                if (!destPath.StartsWith(path.RootVolume.RootDirectory, StringComparison.OrdinalIgnoreCase))
+                {
+                    throw new NotSupportedException($"Entry '{name}' is outside of the home directory.");
+                }
                 File.Move(path.File.FullName, newPath.FullName);
                 response.Added.Add(await BaseModel.CreateAsync(newPath, path.RootVolume));
             }