update main comments, refactor validation of filename

ninianne98 · Apr 18, 2024 · 13dc572 · 13dc572
1 parent df0a77c
commit 13dc572
Show file tree

Hide file tree

Showing 9 changed files with 122 additions and 21 deletions.
diff --git a/PluginPhotoGallery/GalleryObjects/GalleryBase.cs b/PluginPhotoGallery/GalleryObjects/GalleryBase.cs
@@ -1,6 +1,16 @@
 using Carrotware.CMS.Core;
 using Carrotware.Web.UI.Controls;
 
+/*
+* CarrotCake CMS
+* http://www.carrotware.com/
+*
+* Copyright 2011, Samantha Copeland
+* Dual licensed under the MIT or GPL Version 3 licenses.
+*
+* Date: October 2011
+*/
+
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
 	public class GalleryBase {

diff --git a/PluginPhotoGallery/GalleryObjects/GalleryImageEntry.cs b/PluginPhotoGallery/GalleryObjects/GalleryImageEntry.cs
@@ -1,6 +1,16 @@
 using System;
 using System.Linq;
 
+/*
+* CarrotCake CMS
+* http://www.carrotware.com/
+*
+* Copyright 2011, Samantha Copeland
+* Dual licensed under the MIT or GPL Version 3 licenses.
+*
+* Date: October 2011
+*/
+
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
 	public class GalleryImageEntry : GalleryBase {

diff --git a/PluginPhotoGallery/GalleryObjects/GalleryMetaData.cs b/PluginPhotoGallery/GalleryObjects/GalleryMetaData.cs
@@ -1,6 +1,16 @@
 using System;
 using System.Linq;
 
+/*
+* CarrotCake CMS
+* http://www.carrotware.com/
+*
+* Copyright 2011, Samantha Copeland
+* Dual licensed under the MIT or GPL Version 3 licenses.
+*
+* Date: October 2011
+*/
+
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
 	public class GalleryMetaData : GalleryBase {
@@ -25,8 +35,25 @@ public class GalleryMetaData : GalleryBase {
 		public string ImageTitle { get; set; }
 		public string ImageMetaData { get; set; }
 
+		public void ValidateGalleryImage() {
+			if (this.GalleryImage.Contains("../") || this.GalleryImage.Contains(@"..\")) {
+				throw new Exception("Cannot use relative paths.");
+			}
+			if (this.GalleryImage.Contains(":")) {
+				throw new Exception("Cannot specify drive letters.");
+			}
+			if (this.GalleryImage.Contains("//") || this.GalleryImage.Contains(@"\\")) {
+				throw new Exception("Cannot use UNC paths.");
+			}
+			if (this.GalleryImage.Contains("<") || this.GalleryImage.Contains(">")) {
+				throw new Exception("Cannot include html tags.");
+			}
+		}
+
 		public void Save() {
 			if (!string.IsNullOrEmpty(this.GalleryImage)) {
+				this.ValidateGalleryImage();
+
 				using (var db = PhotoGalleryDataContext.GetDataContext()) {
 					tblGalleryImageMeta gal = (from c in db.tblGalleryImageMetas
 											   where c.GalleryImage.ToLower() == this.GalleryImage.ToLower()

diff --git a/PluginPhotoGallery/PhotoGallery.cs b/PluginPhotoGallery/PhotoGallery.cs
@@ -1,5 +1,15 @@
 using System.Configuration;
 
+/*
+* CarrotCake CMS
+* http://www.carrotware.com/
+*
+* Copyright 2011, Samantha Copeland
+* Dual licensed under the MIT or GPL Version 3 licenses.
+*
+* Date: October 2011
+*/
+
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 	public partial class PhotoGalleryDataContext {
 

diff --git a/PluginPhotoGallery/PhotoGalleryAdminMetaData.ascx.cs b/PluginPhotoGallery/PhotoGalleryAdminMetaData.ascx.cs
@@ -7,7 +7,7 @@ namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
 	public partial class PhotoGalleryAdminMetaData : AdminModule {
 		private Guid gTheID = Guid.Empty;
-		public string imageFile = String.Empty;
+		public string imageFile = string.Empty;
 
 		protected FileDataHelper helpFile = new FileDataHelper();
 
@@ -18,15 +18,8 @@ public partial class PhotoGalleryAdminMetaData : AdminModule {
 			if (!string.IsNullOrEmpty(Request.QueryString["parm"])) {
 				imageFile = CMSConfigHelper.DecodeBase64(Request.QueryString["parm"].ToString());
 			}
-			if (imageFile.Contains("../") || imageFile.Contains(@"..\")) {
-				throw new Exception("Cannot use relative paths.");
-			}
-			if (imageFile.Contains(":")) {
-				throw new Exception("Cannot specify drive letters.");
-			}
-			if (imageFile.Contains("//") || imageFile.Contains(@"\\")) {
-				throw new Exception("Cannot use UNC paths.");
-			}
+
+			ValidateGalleryImage(imageFile);
 
 			litImgName.Text = imageFile;
 			ImageSizer1.ImageUrl = imageFile;
@@ -50,6 +43,7 @@ public partial class PhotoGalleryAdminMetaData : AdminModule {
 		protected void btnSave_Click(object sender, EventArgs e) {
 			GalleryHelper gh = new GalleryHelper(SiteID);
 			var meta = gh.GalleryMetaDataGetByFilename(imageFile);
+			ValidateGalleryImage(imageFile);
 
 			if (meta == null) {
 				meta = new GalleryMetaData();
@@ -61,9 +55,27 @@ public partial class PhotoGalleryAdminMetaData : AdminModule {
 			meta.ImageMetaData = txtMetaInfo.Text;
 			meta.ImageTitle = txtTitle.Text;
 
+			meta.ValidateGalleryImage();
+
 			meta.Save();
 
 			Response.Redirect(SiteData.CurrentScriptName + "?" + Request.QueryString.ToString());
 		}
+
+		protected void ValidateGalleryImage(string imageFile) {
+			if (imageFile.Contains("../") || imageFile.Contains(@"..\")) {
+				throw new Exception("Cannot use relative paths.");
+			}
+			if (imageFile.Contains(":")) {
+				throw new Exception("Cannot specify drive letters.");
+			}
+			if (imageFile.Contains("//") || imageFile.Contains(@"\\")) {
+				throw new Exception("Cannot use UNC paths.");
+			}
+			if (imageFile.Contains("<") || imageFile.Contains(">")) {
+				throw new Exception("Cannot include html tags.");
+			}
+		}
+
 	}
 }
diff --git a/PluginPhotoGallery/PhotoGalleryPrettyPhotoContent.ascx.cs b/PluginPhotoGallery/PhotoGalleryPrettyPhotoContent.ascx.cs
@@ -1,9 +1,9 @@
-using System;
+using Carrotware.CMS.Core;
+using Carrotware.CMS.Interface;
+using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Linq;
-using Carrotware.CMS.Core;
-using Carrotware.CMS.Interface;
 
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
@@ -110,6 +110,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower()
 			if (imgData == null) {
 				return "";
 			} else {
+				imgData.ValidateGalleryImage();
 				return imgData.ImageMetaData;
 			}
 		}
@@ -122,6 +123,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower()
 			if (imgData == null) {
 				return sImg;
 			} else {
+				imgData.ValidateGalleryImage();
 				return imgData.ImageTitle;
 			}
 		}
@@ -133,45 +135,45 @@ where g.GalleryImage.ToLower() == sImg.ToLower()
 				try {
 					string sFoundVal = GetParmValue("GalleryID", Guid.Empty.ToString());
 
-					if (!String.IsNullOrEmpty(sFoundVal)) {
+					if (!string.IsNullOrEmpty(sFoundVal)) {
 						this.GalleryID = new Guid(sFoundVal);
 					}
 				} catch (Exception ex) { }
 
 				try {
 					string sFoundVal = GetParmValueDefaultEmpty("WindowWidth", "500");
 
-					if (!String.IsNullOrEmpty(sFoundVal)) {
+					if (!string.IsNullOrEmpty(sFoundVal)) {
 						this.WindowWidth = Convert.ToInt32(sFoundVal);
 					}
 				} catch (Exception ex) { }
 
 				try {
 					string sFoundVal = GetParmValueDefaultEmpty("ThumbSize1", "150");
 
-					if (!String.IsNullOrEmpty(sFoundVal)) {
+					if (!string.IsNullOrEmpty(sFoundVal)) {
 						this.ThumbSize1 = Convert.ToInt32(sFoundVal);
 					}
 				} catch (Exception ex) { }
 
 				try {
 					string sFoundVal = GetParmValueDefaultEmpty("ThumbSize2", "200");
 
-					if (!String.IsNullOrEmpty(sFoundVal)) {
+					if (!string.IsNullOrEmpty(sFoundVal)) {
 						this.ThumbSize2 = Convert.ToInt32(sFoundVal);
 					}
 				} catch (Exception ex) { }
 
 				try {
 					string sFoundVal = GetParmValue("PrettyPhotoSkin", "light_rounded");
 
-					if (!String.IsNullOrEmpty(sFoundVal)) {
+					if (!string.IsNullOrEmpty(sFoundVal)) {
 						this.PrettyPhotoSkin = sFoundVal;
 					}
 				} catch (Exception ex) { }
 			}
 
-			if (String.IsNullOrEmpty(PrettyPhotoSkin)) {
+			if (string.IsNullOrEmpty(PrettyPhotoSkin)) {
 				this.PrettyPhotoSkin = "light_rounded";
 			}
 

diff --git a/PluginPhotoGallery/PublicGalleryBase.cs b/PluginPhotoGallery/PublicGalleryBase.cs
@@ -5,6 +5,16 @@
 using System.ComponentModel;
 using System.Linq;
 
+/*
+* CarrotCake CMS
+* http://www.carrotware.com/
+*
+* Copyright 2011, Samantha Copeland
+* Dual licensed under the MIT or GPL Version 3 licenses.
+*
+* Date: October 2011
+*/
+
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
 	public abstract class PublicGalleryBase : WidgetParmDataUserControl, IWidgetEditStatus {

diff --git a/PluginPhotoGallery/PublicGallerySingleBase.cs b/PluginPhotoGallery/PublicGallerySingleBase.cs
@@ -4,6 +4,16 @@
 using System.ComponentModel;
 using System.Linq;
 
+/*
+* CarrotCake CMS
+* http://www.carrotware.com/
+*
+* Copyright 2011, Samantha Copeland
+* Dual licensed under the MIT or GPL Version 3 licenses.
+*
+* Date: October 2011
+*/
+
 namespace Carrotware.CMS.UI.Plugins.PhotoGallery {
 
 	public abstract class PublicGallerySingleBase : PublicGalleryBase {

diff --git a/WebControls/FileData.cs b/WebControls/FileData.cs
@@ -150,8 +150,18 @@ public class FileDataHelper {
 		}
 
 		public FileData GetFileInfo(string sQuery, string myFile) {
+			string sPath = MakeFileFolderPath(sQuery).NormalizeFilename();
+
+			if (!string.IsNullOrEmpty(sQuery) && !string.IsNullOrEmpty(myFile)
+						&& sQuery.ToLowerInvariant() == myFile.ToLowerInvariant()) {
+				var fileInfo = new FileInfo((_wwwpath + "/" + myFile).NormalizeFilename());
+
+				sQuery = (fileInfo.DirectoryName ?? string.Empty).NormalizeFilename();
+				myFile = fileInfo.Name;
+				sPath = sQuery;
+			}
+
 			sQuery = sQuery.NormalizeFilename();
-			string sPath = MakeFileFolderPath(sQuery);
 
 			string myFileName = Path.GetFileName(myFile).Trim();
 			DateTime myFileDate = Convert.ToDateTime("1899-01-01");
@@ -180,7 +190,7 @@ public class FileDataHelper {
 				string myPath = sQuery.FixPathSlashes();
 
 				f.FileName = Path.GetFileName(myFileName);
-				f.FolderPath = myPath;
+				f.FolderPath = MakeWebFolderPath(myPath);
 				f.FileDate = myFileDate;
 				f.FileSize = myFileSize;
 				f.FileSizeFriendly = myFileSizeF;