#2683 Added the blacklist of static file extensions for plugin direc…

…tory

src/Libraries/Nop.Core/Domain/Security/SecuritySettings.cs

@@ -38,5 +38,10 @@ public class SecuritySettings : ISettings
         /// Gets or sets a honeypot input name
         /// </summary>
         public string HoneypotInputName { get; set; }
+
+        /// <summary>
+        /// Get or set the blacklist of static file extension for plugin directories
+        /// </summary>
+        public string PluginStaticFileExtensionsBlacklist { get; set; }
     }
 }

src/Presentation/Nop.Web.Framework/Infrastructure/NopCommonStartup.cs

@@ -1,5 +1,5 @@
-using System;
-using System.IO;
+using System.IO;
+using System.Linq;
 using ImageResizer.Configuration;
 using ImageResizer.Plugins.PrettyGifs;
 using Microsoft.AspNetCore.Builder;
@@ -11,6 +11,8 @@
 using Microsoft.Net.Http.Headers;
 using Nop.Core;
 using Nop.Core.Configuration;
+using Nop.Core.Data;
+using Nop.Core.Domain.Security;
 using Nop.Core.Infrastructure;
 using Nop.Web.Framework.Compression;
 using Nop.Web.Framework.Infrastructure.Extensions;
@@ -95,17 +97,41 @@ public void Configure(IApplicationBuilder application)
                         ctx.Context.Response.Headers.Append(HeaderNames.CacheControl, nopConfig.StaticFilesCacheControl);
                 }
             });
+
             //plugins
-            application.UseStaticFiles(new StaticFileOptions
+            var staticFileOptions = new StaticFileOptions
             {
                 FileProvider = new PhysicalFileProvider(Path.Combine(Directory.GetCurrentDirectory(), @"Plugins")),
                 RequestPath = new PathString("/Plugins"),
                 OnPrepareResponse = ctx =>
                 {
                     if (!string.IsNullOrEmpty(nopConfig.StaticFilesCacheControl))
-                        ctx.Context.Response.Headers.Append(HeaderNames.CacheControl, nopConfig.StaticFilesCacheControl);
+                        ctx.Context.Response.Headers.Append(HeaderNames.CacheControl,
+                            nopConfig.StaticFilesCacheControl);
                 }
-            });
+            };
+            //whether database is installed
+            if (DataSettingsHelper.DatabaseIsInstalled())
+            {
+                var securitySettings = EngineContext.Current.Resolve<SecuritySettings>();
+                if (!string.IsNullOrEmpty(securitySettings.PluginStaticFileExtensionsBlacklist))
+                {
+                    var fileExtensionContentTypeProvider = new FileExtensionContentTypeProvider();
+
+                    foreach (var ext in securitySettings.PluginStaticFileExtensionsBlacklist
+                        .Split(';', ',')
+                        .Select(e => e.Trim().ToLower())
+                        .Select(e => $"{(e.StartsWith(".") ? string.Empty : ".")}{e}")
+                        .Where(fileExtensionContentTypeProvider.Mappings.ContainsKey))
+                    {
+                        fileExtensionContentTypeProvider.Mappings.Remove(ext);
+                    }
+
+                    staticFileOptions.ContentTypeProvider = fileExtensionContentTypeProvider;
+                }
+            }
+            application.UseStaticFiles(staticFileOptions);
+
             //add support for backups
             var provider = new FileExtensionContentTypeProvider();
             provider.Mappings[".bak"] = MimeTypes.ApplicationOctetStream;

upgradescripts/3.90-4.00 (under development)/upgrade.sql

@@ -877,4 +877,12 @@ BEGIN
 	INSERT [ActivityLogType] ([SystemKeyword], [Name], [Enabled])
 	VALUES (N'DeletePlugin', N'Delete a plugin', N'true')
 END
-GO
+GO
+
+--new setting
+IF NOT EXISTS (SELECT 1 FROM [Setting] WHERE [name] = N'securitysettings.pluginstaticfileextensionsblacklist')
+BEGIN
+	INSERT [Setting] ([Name], [Value], [StoreId])
+	VALUES (N'securitysettings.pluginstaticfileextensionsblacklist', N'', 0)
+END
+GO