Skip to content
Permalink
Browse files Browse the repository at this point in the history
Finish security patch 1.2.4
  • Loading branch information
trung-tran-sts committed Jul 1, 2021
1 parent c84b4b2 commit 5498c8a
Show file tree
Hide file tree
Showing 15 changed files with 179 additions and 40 deletions.
Expand Up @@ -39,7 +39,7 @@ public static string MapPath(string path, string basePath = null)
}

path = path.Replace("~/", "").TrimStart('/').Replace('/', '\\');
return PathHelper.GetFullPath(basePath, path);
return PathHelper.GetFullPath(Path.Combine(basePath, path));
}

public IConfiguration Configuration { get; }
Expand Down
3 changes: 2 additions & 1 deletion elFinder.Net.Core/Demos/elFinder.Net.Demo31/Startup.cs
Expand Up @@ -9,6 +9,7 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using System.Collections.Generic;
using System.IO;

namespace elFinder.Net.Demo31
{
Expand All @@ -30,7 +31,7 @@ public static string MapPath(string path, string basePath = null)
}

path = path.Replace("~/", "").TrimStart('/').Replace('/', '\\');
return PathHelper.GetFullPath(basePath, path);
return PathHelper.GetFullPath(Path.Combine(basePath, path));
}

public IConfiguration Configuration { get; }
Expand Down
7 changes: 7 additions & 0 deletions elFinder.Net.Core/elFinder.Net.Core/Connector.cs
Expand Up @@ -374,6 +374,13 @@ public virtual async Task<ConnectorResult> ProcessAsync(ConnectorCommand cmd, Ca
if (targetPath.IsDirectory)
throw new NotFileException();

if (putCmd.Encoding == "hash")
{
putCmd.ContentPath = await ParsePathAsync(putCmd.Content, cancellationToken: cancellationToken);
if (putCmd.ContentPath.IsDirectory)
throw new NotFileException();
}

var putResp = await putCmd.TargetPath.Volume.Driver.PutAsync(putCmd, cancellationToken);
return ConnectorResult.Success(putResp);
}
Expand Down
@@ -0,0 +1,15 @@
using elFinder.Net.Core.Models.Response;

namespace elFinder.Net.Core.Exceptions
{
public class InvalidDirNameException : ConnectorException
{
public InvalidDirNameException()
{
ErrorResponse = new ErrorResponse(this)
{
error = ErrorResponse.InvalidDirName
};
}
}
}
@@ -0,0 +1,15 @@
using elFinder.Net.Core.Models.Response;

namespace elFinder.Net.Core.Exceptions
{
public class InvalidFileNameException : ConnectorException
{
public InvalidFileNameException()
{
ErrorResponse = new ErrorResponse(this)
{
error = ErrorResponse.InvalidFileName
};
}
}
}
Expand Up @@ -4,5 +4,7 @@ public class PutCommand : TargetCommand
{
public string Content { get; set; }
public string Encoding { get; set; }

public PathInfo ContentPath { get; set; }
}
}
8 changes: 7 additions & 1 deletion elFinder.Net.Core/elFinder.Net.Core/Models/PathInfo.cs
@@ -1,17 +1,23 @@
namespace elFinder.Net.Core
using elFinder.Net.Core.Exceptions;

namespace elFinder.Net.Core
{
public class PathInfo
{
public PathInfo(string path, IVolume volume, IFile file, string hashedTarget) : this(path, volume, hashedTarget, false)
{
File = file;
FileSystem = file;

if (!volume.Own(FileSystem)) throw new PermissionDeniedException("Volume must own this path");
}

public PathInfo(string path, IVolume volume, IDirectory dir, string hashedTarget) : this(path, volume, hashedTarget, true)
{
Directory = dir;
FileSystem = dir;

if (!volume.Own(FileSystem)) throw new PermissionDeniedException("Volume must own this path");
}

private PathInfo(string path, IVolume volume, string hashedTarget, bool isDirectory)
Expand Down
Expand Up @@ -84,6 +84,8 @@ public static ErrorResponse Unknown(Exception ex)
public const string CommandNoSupport = "errCmdNoSupport";
public const string NotFile = "errNotFile";
public const string UploadFile = "errUploadFile";
public const string InvalidFileName = "errInvName";
public const string InvalidDirName = "errInvDirname";
#endregion
}
}
@@ -1,4 +1,5 @@
using elFinder.Net.Core;
using elFinder.Net.Drivers.FileSystem.Helpers;
using System;
using System.IO;
using System.Linq;
Expand All @@ -22,7 +23,7 @@ public static class IDirectoryExtensions
}

string newName = $"{name}{suffix}";
if (!Directory.Exists(Path.Combine(directory.Parent.FullName, newName)))
if (!Directory.Exists(PathHelper.SafelyCombine(directory.Parent.FullName, directory.Parent.FullName, newName)))
return newName;
else
{
Expand Down
@@ -1,4 +1,5 @@
using elFinder.Net.Core;
using elFinder.Net.Drivers.FileSystem.Helpers;
using System;
using System.IO;
using System.Linq;
Expand All @@ -23,7 +24,7 @@ public static class IFileExtensions
}

string newName = $"{name}{suffix}{extension}";
if (!File.Exists(Path.Combine(file.DirectoryName, newName)))
if (!File.Exists(PathHelper.SafelyCombine(file.DirectoryName, file.DirectoryName, newName)))
return newName;
else
{
Expand Down
Expand Up @@ -251,7 +251,7 @@ public virtual Task<IDirectory> RenameAsync(string newName, bool verify = true,

if (verify && !this.CanRename()) throw new PermissionDeniedException();

var newPath = PathHelper.GetFullPath(Parent.FullName, newName);
var newPath = PathHelper.GetFullPath(PathHelper.SafelyCombine(Parent.FullName, Parent.FullName, newName));
directoryInfo.MoveTo(newPath);
return Task.FromResult<IDirectory>(new FileSystemDirectory(newPath, volume));
}
Expand Down

0 comments on commit 5498c8a

Please sign in to comment.