From 13dc572cfb29c2fd6836601762b969bfefa9c92b Mon Sep 17 00:00:00 2001 From: samantha copeland Date: Wed, 17 Apr 2024 21:49:06 -0500 Subject: [PATCH] update main comments, refactor validation of filename --- .../GalleryObjects/GalleryBase.cs | 10 ++++++ .../GalleryObjects/GalleryImageEntry.cs | 10 ++++++ .../GalleryObjects/GalleryMetaData.cs | 27 ++++++++++++++++ PluginPhotoGallery/PhotoGallery.cs | 10 ++++++ .../PhotoGalleryAdminMetaData.ascx.cs | 32 +++++++++++++------ .../PhotoGalleryPrettyPhotoContent.ascx.cs | 20 ++++++------ PluginPhotoGallery/PublicGalleryBase.cs | 10 ++++++ PluginPhotoGallery/PublicGallerySingleBase.cs | 10 ++++++ WebControls/FileData.cs | 14 ++++++-- 9 files changed, 122 insertions(+), 21 deletions(-) diff --git a/PluginPhotoGallery/GalleryObjects/GalleryBase.cs b/PluginPhotoGallery/GalleryObjects/GalleryBase.cs index 0ccb0138..58c8a74c 100644 --- a/PluginPhotoGallery/GalleryObjects/GalleryBase.cs +++ b/PluginPhotoGallery/GalleryObjects/GalleryBase.cs @@ -1,6 +1,16 @@ using Carrotware.CMS.Core; using Carrotware.Web.UI.Controls; +/* +* CarrotCake CMS +* http://www.carrotware.com/ +* +* Copyright 2011, Samantha Copeland +* Dual licensed under the MIT or GPL Version 3 licenses. +* +* Date: October 2011 +*/ + namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public class GalleryBase { diff --git a/PluginPhotoGallery/GalleryObjects/GalleryImageEntry.cs b/PluginPhotoGallery/GalleryObjects/GalleryImageEntry.cs index 065412e0..8aa76f46 100644 --- a/PluginPhotoGallery/GalleryObjects/GalleryImageEntry.cs +++ b/PluginPhotoGallery/GalleryObjects/GalleryImageEntry.cs @@ -1,6 +1,16 @@ using System; using System.Linq; +/* +* CarrotCake CMS +* http://www.carrotware.com/ +* +* Copyright 2011, Samantha Copeland +* Dual licensed under the MIT or GPL Version 3 licenses. +* +* Date: October 2011 +*/ + namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public class GalleryImageEntry : GalleryBase { diff --git a/PluginPhotoGallery/GalleryObjects/GalleryMetaData.cs b/PluginPhotoGallery/GalleryObjects/GalleryMetaData.cs index 09331e8b..8a71b6b2 100644 --- a/PluginPhotoGallery/GalleryObjects/GalleryMetaData.cs +++ b/PluginPhotoGallery/GalleryObjects/GalleryMetaData.cs @@ -1,6 +1,16 @@ using System; using System.Linq; +/* +* CarrotCake CMS +* http://www.carrotware.com/ +* +* Copyright 2011, Samantha Copeland +* Dual licensed under the MIT or GPL Version 3 licenses. +* +* Date: October 2011 +*/ + namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public class GalleryMetaData : GalleryBase { @@ -25,8 +35,25 @@ public class GalleryMetaData : GalleryBase { public string ImageTitle { get; set; } public string ImageMetaData { get; set; } + public void ValidateGalleryImage() { + if (this.GalleryImage.Contains("../") || this.GalleryImage.Contains(@"..\")) { + throw new Exception("Cannot use relative paths."); + } + if (this.GalleryImage.Contains(":")) { + throw new Exception("Cannot specify drive letters."); + } + if (this.GalleryImage.Contains("//") || this.GalleryImage.Contains(@"\\")) { + throw new Exception("Cannot use UNC paths."); + } + if (this.GalleryImage.Contains("<") || this.GalleryImage.Contains(">")) { + throw new Exception("Cannot include html tags."); + } + } + public void Save() { if (!string.IsNullOrEmpty(this.GalleryImage)) { + this.ValidateGalleryImage(); + using (var db = PhotoGalleryDataContext.GetDataContext()) { tblGalleryImageMeta gal = (from c in db.tblGalleryImageMetas where c.GalleryImage.ToLower() == this.GalleryImage.ToLower() diff --git a/PluginPhotoGallery/PhotoGallery.cs b/PluginPhotoGallery/PhotoGallery.cs index d4f42d4d..45f50322 100644 --- a/PluginPhotoGallery/PhotoGallery.cs +++ b/PluginPhotoGallery/PhotoGallery.cs @@ -1,5 +1,15 @@ using System.Configuration; +/* +* CarrotCake CMS +* http://www.carrotware.com/ +* +* Copyright 2011, Samantha Copeland +* Dual licensed under the MIT or GPL Version 3 licenses. +* +* Date: October 2011 +*/ + namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public partial class PhotoGalleryDataContext { diff --git a/PluginPhotoGallery/PhotoGalleryAdminMetaData.ascx.cs b/PluginPhotoGallery/PhotoGalleryAdminMetaData.ascx.cs index 592063d1..94d1eefa 100644 --- a/PluginPhotoGallery/PhotoGalleryAdminMetaData.ascx.cs +++ b/PluginPhotoGallery/PhotoGalleryAdminMetaData.ascx.cs @@ -7,7 +7,7 @@ namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public partial class PhotoGalleryAdminMetaData : AdminModule { private Guid gTheID = Guid.Empty; - public string imageFile = String.Empty; + public string imageFile = string.Empty; protected FileDataHelper helpFile = new FileDataHelper(); @@ -18,15 +18,8 @@ public partial class PhotoGalleryAdminMetaData : AdminModule { if (!string.IsNullOrEmpty(Request.QueryString["parm"])) { imageFile = CMSConfigHelper.DecodeBase64(Request.QueryString["parm"].ToString()); } - if (imageFile.Contains("../") || imageFile.Contains(@"..\")) { - throw new Exception("Cannot use relative paths."); - } - if (imageFile.Contains(":")) { - throw new Exception("Cannot specify drive letters."); - } - if (imageFile.Contains("//") || imageFile.Contains(@"\\")) { - throw new Exception("Cannot use UNC paths."); - } + + ValidateGalleryImage(imageFile); litImgName.Text = imageFile; ImageSizer1.ImageUrl = imageFile; @@ -50,6 +43,7 @@ public partial class PhotoGalleryAdminMetaData : AdminModule { protected void btnSave_Click(object sender, EventArgs e) { GalleryHelper gh = new GalleryHelper(SiteID); var meta = gh.GalleryMetaDataGetByFilename(imageFile); + ValidateGalleryImage(imageFile); if (meta == null) { meta = new GalleryMetaData(); @@ -61,9 +55,27 @@ public partial class PhotoGalleryAdminMetaData : AdminModule { meta.ImageMetaData = txtMetaInfo.Text; meta.ImageTitle = txtTitle.Text; + meta.ValidateGalleryImage(); + meta.Save(); Response.Redirect(SiteData.CurrentScriptName + "?" + Request.QueryString.ToString()); } + + protected void ValidateGalleryImage(string imageFile) { + if (imageFile.Contains("../") || imageFile.Contains(@"..\")) { + throw new Exception("Cannot use relative paths."); + } + if (imageFile.Contains(":")) { + throw new Exception("Cannot specify drive letters."); + } + if (imageFile.Contains("//") || imageFile.Contains(@"\\")) { + throw new Exception("Cannot use UNC paths."); + } + if (imageFile.Contains("<") || imageFile.Contains(">")) { + throw new Exception("Cannot include html tags."); + } + } + } } \ No newline at end of file diff --git a/PluginPhotoGallery/PhotoGalleryPrettyPhotoContent.ascx.cs b/PluginPhotoGallery/PhotoGalleryPrettyPhotoContent.ascx.cs index 48b0ed28..a4fea125 100644 --- a/PluginPhotoGallery/PhotoGalleryPrettyPhotoContent.ascx.cs +++ b/PluginPhotoGallery/PhotoGalleryPrettyPhotoContent.ascx.cs @@ -1,9 +1,9 @@ -using System; +using Carrotware.CMS.Core; +using Carrotware.CMS.Interface; +using System; using System.Collections.Generic; using System.ComponentModel; using System.Linq; -using Carrotware.CMS.Core; -using Carrotware.CMS.Interface; namespace Carrotware.CMS.UI.Plugins.PhotoGallery { @@ -110,6 +110,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower() if (imgData == null) { return ""; } else { + imgData.ValidateGalleryImage(); return imgData.ImageMetaData; } } @@ -122,6 +123,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower() if (imgData == null) { return sImg; } else { + imgData.ValidateGalleryImage(); return imgData.ImageTitle; } } @@ -133,7 +135,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower() try { string sFoundVal = GetParmValue("GalleryID", Guid.Empty.ToString()); - if (!String.IsNullOrEmpty(sFoundVal)) { + if (!string.IsNullOrEmpty(sFoundVal)) { this.GalleryID = new Guid(sFoundVal); } } catch (Exception ex) { } @@ -141,7 +143,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower() try { string sFoundVal = GetParmValueDefaultEmpty("WindowWidth", "500"); - if (!String.IsNullOrEmpty(sFoundVal)) { + if (!string.IsNullOrEmpty(sFoundVal)) { this.WindowWidth = Convert.ToInt32(sFoundVal); } } catch (Exception ex) { } @@ -149,7 +151,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower() try { string sFoundVal = GetParmValueDefaultEmpty("ThumbSize1", "150"); - if (!String.IsNullOrEmpty(sFoundVal)) { + if (!string.IsNullOrEmpty(sFoundVal)) { this.ThumbSize1 = Convert.ToInt32(sFoundVal); } } catch (Exception ex) { } @@ -157,7 +159,7 @@ where g.GalleryImage.ToLower() == sImg.ToLower() try { string sFoundVal = GetParmValueDefaultEmpty("ThumbSize2", "200"); - if (!String.IsNullOrEmpty(sFoundVal)) { + if (!string.IsNullOrEmpty(sFoundVal)) { this.ThumbSize2 = Convert.ToInt32(sFoundVal); } } catch (Exception ex) { } @@ -165,13 +167,13 @@ where g.GalleryImage.ToLower() == sImg.ToLower() try { string sFoundVal = GetParmValue("PrettyPhotoSkin", "light_rounded"); - if (!String.IsNullOrEmpty(sFoundVal)) { + if (!string.IsNullOrEmpty(sFoundVal)) { this.PrettyPhotoSkin = sFoundVal; } } catch (Exception ex) { } } - if (String.IsNullOrEmpty(PrettyPhotoSkin)) { + if (string.IsNullOrEmpty(PrettyPhotoSkin)) { this.PrettyPhotoSkin = "light_rounded"; } diff --git a/PluginPhotoGallery/PublicGalleryBase.cs b/PluginPhotoGallery/PublicGalleryBase.cs index 70351f8b..2a54d052 100644 --- a/PluginPhotoGallery/PublicGalleryBase.cs +++ b/PluginPhotoGallery/PublicGalleryBase.cs @@ -5,6 +5,16 @@ using System.ComponentModel; using System.Linq; +/* +* CarrotCake CMS +* http://www.carrotware.com/ +* +* Copyright 2011, Samantha Copeland +* Dual licensed under the MIT or GPL Version 3 licenses. +* +* Date: October 2011 +*/ + namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public abstract class PublicGalleryBase : WidgetParmDataUserControl, IWidgetEditStatus { diff --git a/PluginPhotoGallery/PublicGallerySingleBase.cs b/PluginPhotoGallery/PublicGallerySingleBase.cs index 52d8356b..4bae606c 100644 --- a/PluginPhotoGallery/PublicGallerySingleBase.cs +++ b/PluginPhotoGallery/PublicGallerySingleBase.cs @@ -4,6 +4,16 @@ using System.ComponentModel; using System.Linq; +/* +* CarrotCake CMS +* http://www.carrotware.com/ +* +* Copyright 2011, Samantha Copeland +* Dual licensed under the MIT or GPL Version 3 licenses. +* +* Date: October 2011 +*/ + namespace Carrotware.CMS.UI.Plugins.PhotoGallery { public abstract class PublicGallerySingleBase : PublicGalleryBase { diff --git a/WebControls/FileData.cs b/WebControls/FileData.cs index af3036b0..23adad20 100644 --- a/WebControls/FileData.cs +++ b/WebControls/FileData.cs @@ -150,8 +150,18 @@ public class FileDataHelper { } public FileData GetFileInfo(string sQuery, string myFile) { + string sPath = MakeFileFolderPath(sQuery).NormalizeFilename(); + + if (!string.IsNullOrEmpty(sQuery) && !string.IsNullOrEmpty(myFile) + && sQuery.ToLowerInvariant() == myFile.ToLowerInvariant()) { + var fileInfo = new FileInfo((_wwwpath + "/" + myFile).NormalizeFilename()); + + sQuery = (fileInfo.DirectoryName ?? string.Empty).NormalizeFilename(); + myFile = fileInfo.Name; + sPath = sQuery; + } + sQuery = sQuery.NormalizeFilename(); - string sPath = MakeFileFolderPath(sQuery); string myFileName = Path.GetFileName(myFile).Trim(); DateTime myFileDate = Convert.ToDateTime("1899-01-01"); @@ -180,7 +190,7 @@ public class FileDataHelper { string myPath = sQuery.FixPathSlashes(); f.FileName = Path.GetFileName(myFileName); - f.FolderPath = myPath; + f.FolderPath = MakeWebFolderPath(myPath); f.FileDate = myFileDate; f.FileSize = myFileSize; f.FileSizeFriendly = myFileSizeF;