Skip to content
Permalink
Browse files

update gallery metadata edit to block certain filename patterns and f…

…ormatting
  • Loading branch information...
ninianne98 committed May 8, 2019
1 parent 94ac076 commit 425d8fa639eec49356cfa5a309da66e951367f79
@@ -123,6 +123,7 @@ public class AdminController : BaseAdminWidgetController {
return View(lst);
}

[HttpGet]
public ActionResult EditImageMetaData(string path) {
GalleryHelper gh = new GalleryHelper(this.SiteID);
string imageFile = String.Empty;
@@ -131,6 +132,16 @@ public class AdminController : BaseAdminWidgetController {
imageFile = Utils.DecodeBase64(path);
}

if (imageFile.Contains("../") || imageFile.Contains(@"..\")) {
throw new Exception("Cannot use relative paths.");
}
if (imageFile.Contains(":")) {
throw new Exception("Cannot specify drive letters.");
}
if (imageFile.Contains("//") || imageFile.Contains(@"\\")) {
throw new Exception("Cannot use UNC paths.");
}

GalleryMetaData model = gh.GalleryMetaDataGetByFilename(imageFile);
if (model == null) {
model = new GalleryMetaData();
@@ -150,7 +150,7 @@
min-width: 2px;
width: 850px;
padding: 8px;
margin: 0px;
margin: 0;
position: absolute;
z-index: 2000;
text-align: center;
@@ -370,7 +370,7 @@
</span>
</a>
</span>
<a class="editMetaData" href='javascript:void(0);' onclick="@CarrotLayout.WritePopupLink( Url.Action("EditImageMetaData", null, new { path = Utils.EncodeBase64(srcImage.FullFileName) }))">
<a class="editMetaData" href='javascript:void(0);' onclick="@CarrotLayout.WritePopupLink(Url.Action("EditImageMetaData", null, new { path = Utils.EncodeBase64(srcImage.FullFileName) }))">>
<img class="imgNoBorder" src="~/Assets/Admin/Images/pencil.png" alt="Edit" title="Edit" />
</a>
</div>

0 comments on commit 425d8fa

Please sign in to comment.
You can’t perform that action at this time.