lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-04-05 10:06:33 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

6748: Stricter file and folder name validation (#6792)

Browse Source 
* Media Library: More strict file and folder name validation, fixes #6748

* Resetting MediaLibraryService changes to 1.10.x

* Code styling in FileSystemStorageProvider

* Adding string file and folder name validation to FileSystemStorageProvider, so that MediaLibrary components don't need to do it separately

* Applying the same file and folder name validation to AzureFileSystem too

* Code styling and fixes in AzureFileSystem, MediaLibrary and IStorageProvider

* Simplifying invalid character detection

* Code styling

* Adding InvalidNameCharacterException to be able to handle invalid characters precisely at various user-facing components

* Updating MediaLibrary not to log an error when a file can't be uploaded due to invalid characters

---------

Co-authored-by: Lombiq <github@lombiq.com>
This commit is contained in:
Benedek Farkas 2024-04-18 21:37:48 +02:00 committed by GitHub
parent 3a6810ec67
commit 0b86413e60
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 150 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/Orchard.Web/Modules/Orchard.Azure/Services/FileSystems/AzureFileSystem.cs
View File

@ -89,6 +89,8 @@ namespace Orchard.Azure.Services.FileSystems {
return newPath; return newPath;
} }
private static string GetFolderName(string path) => path.Substring(path.LastIndexOf('/') + 1);
public string Combine(string path1, string path2) { public string Combine(string path1, string path2) {
if (path1 == null) { if (path1 == null) {
throw new ArgumentNullException("path1"); throw new ArgumentNullException("path1");
@ -141,10 +143,10 @@ namespace Orchard.Azure.Services.FileSystems {
} }
return BlobClient.ListBlobs(prefix) return BlobClient.ListBlobs(prefix)
.OfType<CloudBlockBlob>() .OfType<CloudBlockBlob>()
.Where(blobItem => !blobItem.Uri.AbsoluteUri.EndsWith(FolderEntry)) .Where(blobItem => !blobItem.Uri.AbsoluteUri.EndsWith(FolderEntry))
.Select(blobItem => new AzureBlobFileStorage(blobItem, _absoluteRoot)) .Select(blobItem => new AzureBlobFileStorage(blobItem, _absoluteRoot))
.ToArray(); .ToArray();
} }
public IEnumerable<IStorageFolder> ListFolders(string path) { public IEnumerable<IStorageFolder> ListFolders(string path) {
@ -194,6 +196,11 @@ namespace Orchard.Azure.Services.FileSystems {
public void CreateFolder(string path) { public void CreateFolder(string path) {
path = ConvertToRelativeUriPath(path); path = ConvertToRelativeUriPath(path);
if (FileSystemStorageProvider.FolderNameContainsInvalidCharacters(GetFolderName(path))) {
throw new InvalidNameCharacterException("The directory name contains invalid character(s)");
}
Container.EnsureDirectoryDoesNotExist(String.Concat(_root, path)); Container.EnsureDirectoryDoesNotExist(String.Concat(_root, path));
// Creating a virtually hidden file to make the directory an existing concept // Creating a virtually hidden file to make the directory an existing concept
@ -225,6 +232,10 @@ namespace Orchard.Azure.Services.FileSystems {
path = ConvertToRelativeUriPath(path); path = ConvertToRelativeUriPath(path);
newPath = ConvertToRelativeUriPath(newPath); newPath = ConvertToRelativeUriPath(newPath);
if (FileSystemStorageProvider.FolderNameContainsInvalidCharacters(GetFolderName(newPath))) {
throw new InvalidNameCharacterException("The new directory name contains invalid character(s)");
}
if (!path.EndsWith("/")) if (!path.EndsWith("/"))
path += "/"; path += "/";
@ -260,6 +271,10 @@ namespace Orchard.Azure.Services.FileSystems {
path = ConvertToRelativeUriPath(path); path = ConvertToRelativeUriPath(path);
newPath = ConvertToRelativeUriPath(newPath); newPath = ConvertToRelativeUriPath(newPath);
if (FileSystemStorageProvider.FileNameContainsInvalidCharacters(Path.GetFileName(newPath))) {
throw new InvalidNameCharacterException("The new file name contains invalid character(s)");
}
Container.EnsureBlobExists(String.Concat(_root, path)); Container.EnsureBlobExists(String.Concat(_root, path));
Container.EnsureBlobDoesNotExist(String.Concat(_root, newPath)); Container.EnsureBlobDoesNotExist(String.Concat(_root, newPath));
@ -284,6 +299,10 @@ namespace Orchard.Azure.Services.FileSystems {
public IStorageFile CreateFile(string path) { public IStorageFile CreateFile(string path) {
path = ConvertToRelativeUriPath(path); path = ConvertToRelativeUriPath(path);
if (FileSystemStorageProvider.FileNameContainsInvalidCharacters(Path.GetFileName(path))) {
throw new InvalidNameCharacterException("The file name contains invalid character(s)");
}
if (Container.BlobExists(String.Concat(_root, path))) { if (Container.BlobExists(String.Concat(_root, path))) {
throw new ArgumentException("File " + path + " already exists"); throw new ArgumentException("File " + path + " already exists");
} }
@ -371,10 +390,7 @@ namespace Orchard.Azure.Services.FileSystems {
_rootPath = rootPath; _rootPath = rootPath;
} }
public string GetName() { public string GetName() => GetFolderName(GetPath());
var path = GetPath();
return path.Substring(path.LastIndexOf('/') + 1);
}
public string GetPath() { public string GetPath() {
return _blob.Uri.ToString().Substring(_rootPath.Length).Trim('/'); return _blob.Uri.ToString().Substring(_rootPath.Length).Trim('/');
@ -399,11 +415,12 @@ namespace Orchard.Azure.Services.FileSystems {
long size = 0; long size = 0;
foreach (var blobItem in directoryBlob.ListBlobs()) { foreach (var blobItem in directoryBlob.ListBlobs()) {
if (blobItem is CloudBlockBlob) if (blobItem is CloudBlockBlob blob) {
size += ((CloudBlockBlob)blobItem).Properties.Length; size += blob.Properties.Length;
}
if (blobItem is CloudBlobDirectory) else if (blobItem is CloudBlobDirectory directory) {
size += GetDirectorySize((CloudBlobDirectory)blobItem); size += GetDirectorySize(directory);
}
} }
return size; return size;

30
src/Orchard.Web/Modules/Orchard.MediaLibrary/Controllers/ClientStorageController.cs
View File

@ -3,15 +3,14 @@ using System.Collections.Generic;
using System.IO; using System.IO;
using System.Web.Mvc; using System.Web.Mvc;
using Orchard.ContentManagement; using Orchard.ContentManagement;
using Orchard.FileSystems.Media;
using Orchard.Localization;
using Orchard.Logging;
using Orchard.MediaLibrary.Models;
using Orchard.MediaLibrary.Services; using Orchard.MediaLibrary.Services;
using Orchard.MediaLibrary.ViewModels; using Orchard.MediaLibrary.ViewModels;
using Orchard.Themes; using Orchard.Themes;
using Orchard.UI.Admin; using Orchard.UI.Admin;
using Orchard.MediaLibrary.Models;
using Orchard.Localization;
using System.Linq;
using Orchard.FileSystems.Media;
using Orchard.Logging;
namespace Orchard.MediaLibrary.Controllers { namespace Orchard.MediaLibrary.Controllers {
[Admin, Themed(false)] [Admin, Themed(false)]
@ -107,10 +106,16 @@ namespace Orchard.MediaLibrary.Controllers {
url = mediaPart.FileName, url = mediaPart.FileName,
}); });
} }
catch (Exception ex) { catch (InvalidNameCharacterException) {
Logger.Error(ex, "Unexpected exception when uploading a media.");
statuses.Add(new { statuses.Add(new {
error = T(ex.Message).Text, error = T("The file name contains invalid character(s)").Text,
progress = 1.0,
});
}
catch (Exception ex) {
Logger.Error(ex, T("Unexpected exception when uploading a media.").Text);
statuses.Add(new {
error = ex.Message,
progress = 1.0, progress = 1.0,
}); });
} }
@ -130,7 +135,7 @@ namespace Orchard.MediaLibrary.Controllers {
return HttpNotFound(); return HttpNotFound();
// Check permission // Check permission
if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, replaceMedia.FolderPath) && _mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, replaceMedia.FolderPath)) if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, replaceMedia.FolderPath) && _mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, replaceMedia.FolderPath))
&& !_mediaLibraryService.CanManageMediaFolder(replaceMedia.FolderPath)) { && !_mediaLibraryService.CanManageMediaFolder(replaceMedia.FolderPath)) {
return new HttpUnauthorizedResult(); return new HttpUnauthorizedResult();
} }
@ -138,7 +143,7 @@ namespace Orchard.MediaLibrary.Controllers {
var statuses = new List<object>(); var statuses = new List<object>();
var settings = Services.WorkContext.CurrentSite.As<MediaLibrarySettingsPart>(); var settings = Services.WorkContext.CurrentSite.As<MediaLibrarySettingsPart>();
// Loop through each file in the request // Loop through each file in the request
for (int i = 0; i < HttpContext.Request.Files.Count; i++) { for (int i = 0; i < HttpContext.Request.Files.Count; i++) {
// Pointer to file // Pointer to file
@ -146,7 +151,8 @@ namespace Orchard.MediaLibrary.Controllers {
var filename = Path.GetFileName(file.FileName); var filename = Path.GetFileName(file.FileName);
// if the file has been pasted, provide a default name // if the file has been pasted, provide a default name
if (file.ContentType.Equals("image/png", StringComparison.InvariantCultureIgnoreCase) && !filename.EndsWith(".png", StringComparison.InvariantCultureIgnoreCase)) { if (file.ContentType.Equals("image/png", StringComparison.InvariantCultureIgnoreCase)
&& !filename.EndsWith(".png", StringComparison.InvariantCultureIgnoreCase)) {
filename = "clipboard.png"; filename = "clipboard.png";
} }
@ -184,7 +190,7 @@ namespace Orchard.MediaLibrary.Controllers {
}); });
} }
catch (Exception ex) { catch (Exception ex) {
Logger.Error(ex, "Unexpected exception when uploading a media."); Logger.Error(ex, T("Unexpected exception when uploading a media.").Text);
statuses.Add(new { statuses.Add(new {
error = T(ex.Message).Text, error = T(ex.Message).Text,

44
src/Orchard.Web/Modules/Orchard.MediaLibrary/Controllers/FolderController.cs
View File

@ -1,9 +1,9 @@
using System; using System;
using System.IO; using System.IO;
using System.Linq; using System.Linq;
using System.Text.RegularExpressions;
using System.Web.Mvc; using System.Web.Mvc;
using Orchard.ContentManagement; using Orchard.ContentManagement;
using Orchard.FileSystems.Media;
using Orchard.Localization; using Orchard.Localization;
using Orchard.Logging; using Orchard.Logging;
using Orchard.MediaLibrary.Models; using Orchard.MediaLibrary.Models;
@ -36,7 +36,7 @@ namespace Orchard.MediaLibrary.Controllers {
public ActionResult Create(string folderPath) { public ActionResult Create(string folderPath) {
if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, folderPath) || _mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, folderPath))) { if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, folderPath) || _mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, folderPath))) {
Services.Notifier.Error(T("Couldn't create media folder")); Services.Notifier.Error(T("Couldn't create media folder"));
return RedirectToAction("Index", "Admin", new { area = "Orchard.MediaLibrary", folderPath = folderPath }); return RedirectToAction("Index", "Admin", new { area = "Orchard.MediaLibrary", folderPath });
} }
// If the user is trying to access a folder above his boundaries, redirect him to his home folder // If the user is trying to access a folder above his boundaries, redirect him to his home folder
@ -68,28 +68,32 @@ namespace Orchard.MediaLibrary.Controllers {
return new HttpUnauthorizedResult(); return new HttpUnauthorizedResult();
} }
var failed = false;
try { try {
bool valid = String.IsNullOrWhiteSpace(viewModel.Name) || Regex.IsMatch(viewModel.Name, @"^[^:?#\[\]@!$&'()*+,.;=\s\""\<\>\\\|%]+$"); _mediaLibraryService.CreateFolder(viewModel.FolderPath, viewModel.Name);
if (!valid) { Services.Notifier.Information(T("Media folder created"));
throw new ArgumentException(T("Folder contains invalid characters").ToString()); }
} catch (InvalidNameCharacterException) {
else { Services.Notifier.Error(T("The folder name contains invalid character(s)."));
_mediaLibraryService.CreateFolder(viewModel.FolderPath, viewModel.Name); failed = true;
Services.Notifier.Information(T("Media folder created"));
}
} }
catch (ArgumentException argumentException) { catch (ArgumentException argumentException) {
Services.Notifier.Error(T("Creating Folder failed: {0}", argumentException.Message)); Services.Notifier.Error(T("Creating Folder failed: {0}", argumentException.Message));
failed = true;
}
if (failed) {
Services.TransactionManager.Cancel(); Services.TransactionManager.Cancel();
return View(viewModel); return View(viewModel);
} }
return RedirectToAction("Index", "Admin", new { area = "Orchard.MediaLibrary" }); return RedirectToAction("Index", "Admin", new { area = "Orchard.MediaLibrary" });
} }
public ActionResult Edit(string folderPath) { public ActionResult Edit(string folderPath) {
if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, folderPath) || _mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, folderPath))) { if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, folderPath) || _mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, folderPath))) {
Services.Notifier.Error(T("Couldn't edit media folder")); Services.Notifier.Error(T("Couldn't edit media folder"));
return RedirectToAction("Index", "Admin", new { area = "Orchard.MediaLibrary", folderPath = folderPath }); return RedirectToAction("Index", "Admin", new { area = "Orchard.MediaLibrary", folderPath });
} }
if (!_mediaLibraryService.CanManageMediaFolder(folderPath)) { if (!_mediaLibraryService.CanManageMediaFolder(folderPath)) {
@ -125,7 +129,7 @@ namespace Orchard.MediaLibrary.Controllers {
var viewModel = new MediaManagerFolderEditViewModel(); var viewModel = new MediaManagerFolderEditViewModel();
UpdateModel(viewModel); UpdateModel(viewModel);
if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, viewModel.FolderPath) if (!(_mediaLibraryService.CheckMediaFolderPermission(Permissions.ImportMediaContent, viewModel.FolderPath)
|| _mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, viewModel.FolderPath))) { || _mediaLibraryService.CheckMediaFolderPermission(Permissions.EditMediaContent, viewModel.FolderPath))) {
return new HttpUnauthorizedResult(); return new HttpUnauthorizedResult();
} }
@ -136,14 +140,12 @@ namespace Orchard.MediaLibrary.Controllers {
} }
try { try {
bool valid = String.IsNullOrWhiteSpace(viewModel.Name) || Regex.IsMatch(viewModel.Name, @"^[^:?#\[\]@!$&'()*+,.;=\s\""\<\>\\\|%]+$"); _mediaLibraryService.RenameFolder(viewModel.FolderPath, viewModel.Name);
if (!valid) { Services.Notifier.Information(T("Media folder renamed"));
throw new ArgumentException(T("Folder contains invalid characters").ToString()); }
} catch (InvalidNameCharacterException) {
else { Services.Notifier.Error(T("The folder name contains invalid character(s)."));
_mediaLibraryService.RenameFolder(viewModel.FolderPath, viewModel.Name); return View(viewModel);
Services.Notifier.Information(T("Media folder renamed"));
}
} }
catch (Exception exception) { catch (Exception exception) {
Services.Notifier.Error(T("Editing Folder failed: {0}", exception.Message)); Services.Notifier.Error(T("Editing Folder failed: {0}", exception.Message));
@ -198,7 +200,7 @@ namespace Orchard.MediaLibrary.Controllers {
// don't try to rename the file if there is no associated media file // don't try to rename the file if there is no associated media file
if (!string.IsNullOrEmpty(media.FileName)) { if (!string.IsNullOrEmpty(media.FileName)) {
// check permission on source folder // check permission on source folder
if(!_mediaLibraryService.CheckMediaFolderPermission(Permissions.DeleteMediaContent, media.FolderPath)) { if (!_mediaLibraryService.CheckMediaFolderPermission(Permissions.DeleteMediaContent, media.FolderPath)) {
return new HttpUnauthorizedResult(); return new HttpUnauthorizedResult();
} }

16
src/Orchard.Web/Modules/Orchard.MediaLibrary/MediaFileName/MediaFileNameDriver.cs
View File

@ -1,14 +1,14 @@
using System; using System;
using Orchard.ContentManagement; using Orchard.ContentManagement;
using Orchard.ContentManagement.Drivers; using Orchard.ContentManagement.Drivers;
using Orchard.FileSystems.Media;
using Orchard.Localization; using Orchard.Localization;
using Orchard.MediaLibrary.Models; using Orchard.MediaLibrary.Models;
using Orchard.MediaLibrary.Services; using Orchard.MediaLibrary.Services;
using Orchard.Security; using Orchard.Security;
using Orchard.UI.Notify; using Orchard.UI.Notify;
namespace Orchard.MediaLibrary.MediaFileName namespace Orchard.MediaLibrary.MediaFileName {
{
public class MediaFileNameDriver : ContentPartDriver<MediaPart> { public class MediaFileNameDriver : ContentPartDriver<MediaPart> {
private readonly IAuthenticationService _authenticationService; private readonly IAuthenticationService _authenticationService;
private readonly IAuthorizationService _authorizationService; private readonly IAuthorizationService _authorizationService;
@ -58,6 +58,8 @@ namespace Orchard.MediaLibrary.MediaFileName
var priorFileName = model.FileName; var priorFileName = model.FileName;
if (updater.TryUpdateModel(model, Prefix, null, null)) { if (updater.TryUpdateModel(model, Prefix, null, null)) {
if (model.FileName != null && !model.FileName.Equals(priorFileName, StringComparison.OrdinalIgnoreCase)) { if (model.FileName != null && !model.FileName.Equals(priorFileName, StringComparison.OrdinalIgnoreCase)) {
var fieldName = "MediaFileNameEditorSettings.FileName";
try { try {
_mediaLibraryService.RenameFile(part.FolderPath, priorFileName, model.FileName); _mediaLibraryService.RenameFile(part.FolderPath, priorFileName, model.FileName);
part.FileName = model.FileName; part.FileName = model.FileName;
@ -65,14 +67,18 @@ namespace Orchard.MediaLibrary.MediaFileName
_notifier.Add(NotifyType.Information, T("File '{0}' was renamed to '{1}'", priorFileName, model.FileName)); _notifier.Add(NotifyType.Information, T("File '{0}' was renamed to '{1}'", priorFileName, model.FileName));
} }
catch (OrchardException) { catch (OrchardException) {
updater.AddModelError("MediaFileNameEditorSettings.FileName", T("Unable to rename file. Invalid Windows file path.")); updater.AddModelError(fieldName, T("Unable to rename file. Invalid Windows file path."));
} }
catch (Exception) { catch (InvalidNameCharacterException) {
updater.AddModelError("MediaFileNameEditorSettings.FileName", T("Unable to rename file")); updater.AddModelError(fieldName, T("The file name contains invalid character(s)."));
}
catch (Exception exception) {
updater.AddModelError(fieldName, T("Unable to rename file: {0}", exception.Message));
} }
} }
} }
} }
return model; return model;
}); });
} }

21
src/Orchard.Web/Modules/Orchard.MediaLibrary/Services/MediaLibraryService.cs
View File

@ -6,13 +6,13 @@ using System.Web;
using Orchard.ContentManagement; using Orchard.ContentManagement;
using Orchard.ContentManagement.MetaData.Models; using Orchard.ContentManagement.MetaData.Models;
using Orchard.Core.Common.Models; using Orchard.Core.Common.Models;
using Orchard.Core.Title.Models;
using Orchard.FileSystems.Media; using Orchard.FileSystems.Media;
using Orchard.Localization; using Orchard.Localization;
using Orchard.MediaLibrary.Factories; using Orchard.MediaLibrary.Factories;
using Orchard.MediaLibrary.Models; using Orchard.MediaLibrary.Models;
using Orchard.Core.Title.Models;
using Orchard.Validation;
using Orchard.MediaLibrary.Providers; using Orchard.MediaLibrary.Providers;
using Orchard.Validation;
namespace Orchard.MediaLibrary.Services { namespace Orchard.MediaLibrary.Services {
public class MediaLibraryService : IMediaLibraryService { public class MediaLibraryService : IMediaLibraryService {
@ -21,7 +21,6 @@ namespace Orchard.MediaLibrary.Services {
private readonly IStorageProvider _storageProvider; private readonly IStorageProvider _storageProvider;
private readonly IEnumerable<IMediaFactorySelector> _mediaFactorySelectors; private readonly IEnumerable<IMediaFactorySelector> _mediaFactorySelectors;
private readonly IMediaFolderProvider _mediaFolderProvider; private readonly IMediaFolderProvider _mediaFolderProvider;
private static char[] HttpUnallowed = new char[] { '<', '>', '*', '%', '&', ':', '\\', '?', '#' };
public MediaLibraryService( public MediaLibraryService(
IOrchardServices orchardServices, IOrchardServices orchardServices,
@ -145,12 +144,6 @@ namespace Orchard.MediaLibrary.Services {
} }
public string GetUniqueFilename(string folderPath, string filename) { public string GetUniqueFilename(string folderPath, string filename) {
// remove any char which is unallowed in an HTTP request
foreach (var unallowedChar in HttpUnallowed) {
filename = filename.Replace(unallowedChar.ToString(), "");
}
// compute a unique filename // compute a unique filename
var uniqueFilename = filename; var uniqueFilename = filename;
var index = 1; var index = 1;
@ -177,9 +170,9 @@ namespace Orchard.MediaLibrary.Services {
var mediaFile = BuildMediaFile(relativePath, storageFile); var mediaFile = BuildMediaFile(relativePath, storageFile);
using (var stream = storageFile.OpenRead()) { using (var stream = storageFile.OpenRead()) {
var mediaFactory = GetMediaFactory(stream, mimeType, contentType); var mediaFactory = GetMediaFactory(stream, mimeType, contentType)
if (mediaFactory == null) ?? throw new Exception(T("No media factory available to handle this resource.").Text);
throw new Exception(T("No media factory available to handle this resource.").Text);
var mediaPart = mediaFactory.CreateMedia(stream, mediaFile.Name, mimeType, contentType); var mediaPart = mediaFactory.CreateMedia(stream, mediaFile.Name, mimeType, contentType);
if (mediaPart != null) { if (mediaPart != null) {
mediaPart.FolderPath = relativePath; mediaPart.FolderPath = relativePath;
@ -256,7 +249,7 @@ namespace Orchard.MediaLibrary.Services {
if (_orchardServices.Authorizer.Authorize(Permissions.ManageMediaContent)) { if (_orchardServices.Authorizer.Authorize(Permissions.ManageMediaContent)) {
return true; return true;
} }
if (_orchardServices.WorkContext.CurrentUser==null) if (_orchardServices.WorkContext.CurrentUser == null)
return _orchardServices.Authorizer.Authorize(permission); return _orchardServices.Authorizer.Authorize(permission);
// determines the folder type: public, user own folder (my), folder of another user (private) // determines the folder type: public, user own folder (my), folder of another user (private)
var rootedFolderPath = this.GetRootedFolderPath(folderPath) ?? ""; var rootedFolderPath = this.GetRootedFolderPath(folderPath) ?? "";
@ -268,7 +261,7 @@ namespace Orchard.MediaLibrary.Services {
isMyfolder = true; isMyfolder = true;
} }
if(isMyfolder) { if (isMyfolder) {
return _orchardServices.Authorizer.Authorize(Permissions.ManageOwnMedia); return _orchardServices.Authorizer.Authorize(Permissions.ManageOwnMedia);
} }
else { // other else { // other

4
src/Orchard/Exceptions/DefaultExceptionPolicy.cs
View File

@ -34,7 +34,7 @@ namespace Orchard.Exceptions {
return false; return false;
} }
if (sender is IEventBus && exception is OrchardFatalException) { if (sender is IEventBus && exception is OrchardFatalException) {
return false; return false;
} }
@ -49,7 +49,7 @@ namespace Orchard.Exceptions {
} }
private static bool IsFatal(Exception exception) { private static bool IsFatal(Exception exception) {
return return
exception is OrchardSecurityException || exception is OrchardSecurityException ||
exception is StackOverflowException || exception is StackOverflowException ||
exception is AccessViolationException || exception is AccessViolationException ||

9
src/Orchard/Exceptions/ExceptionExtensions.cs
View File

@ -1,11 +1,8 @@
using System; using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Orchard.Security;
using System.Threading;
using System.Security;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
using System.Security;
using System.Threading;
using Orchard.Security;
namespace Orchard.Exceptions { namespace Orchard.Exceptions {
public static class ExceptionExtensions { public static class ExceptionExtensions {

61
src/Orchard/FileSystems/Media/FileSystemStorageProvider.cs
View File

@ -4,15 +4,22 @@ using System.IO;
using System.Linq; using System.Linq;
using System.Web.Hosting; using System.Web.Hosting;
using Orchard.Environment.Configuration; using Orchard.Environment.Configuration;
using Orchard.Localization;
using Orchard.Validation;
using Orchard.Exceptions; using Orchard.Exceptions;
using Orchard.Localization;
using Orchard.Utility.Extensions;
using Orchard.Validation;
namespace Orchard.FileSystems.Media { namespace Orchard.FileSystems.Media {
public class FileSystemStorageProvider : IStorageProvider { public class FileSystemStorageProvider : IStorageProvider {
private readonly string _storagePath; // c:\orchard\media\default private readonly string _storagePath; // c:\orchard\media\default
private readonly string _virtualPath; // ~/Media/Default/ private readonly string _virtualPath; // ~/Media/Default/
private readonly string _publicPath; // /Orchard/Media/Default/ private readonly string _publicPath; // /Orchard/Media/Default/
public static readonly char[] HttpUnallowedCharacters =
new char[] { '<', '>', '*', '%', '&', ':', '\\', '/', '?', '#', '"', '{', '}', '|', '^', '[', ']', '`' };
public static readonly char[] InvalidFolderNameCharacters =
Path.GetInvalidPathChars().Union(HttpUnallowedCharacters).ToArray();
public static readonly char[] InvalidFileNameCharacters =
Path.GetInvalidFileNameChars().Union(HttpUnallowedCharacters).ToArray();
public FileSystemStorageProvider(ShellSettings settings) { public FileSystemStorageProvider(ShellSettings settings) {
var mediaPath = HostingEnvironment.IsHosted var mediaPath = HostingEnvironment.IsHosted
@ -27,7 +34,7 @@ namespace Orchard.FileSystems.Media {
appPath = HostingEnvironment.ApplicationVirtualPath; appPath = HostingEnvironment.ApplicationVirtualPath;
} }
if (!appPath.EndsWith("/")) if (!appPath.EndsWith("/"))
appPath = appPath + '/'; appPath += '/';
if (!appPath.StartsWith("/")) if (!appPath.StartsWith("/"))
appPath = '/' + appPath; appPath = '/' + appPath;
@ -39,21 +46,21 @@ namespace Orchard.FileSystems.Media {
public Localizer T { get; set; } public Localizer T { get; set; }
public int MaxPathLength { /// <summary>
get; set; /// The public setter allows injecting this from Sites.MyTenant.Config or Sites.config, by using an AutoFac
// The public setter allows injecting this from Sites.MyTenant.Config or Sites.config, by using /// component. See the example below.
// an AutoFac component: /// </summary>
/* /*
<component instance-scope="per-lifetime-scope" <component
type="Orchard.FileSystems.Media.FileSystemStorageProvider, Orchard.Framework" instance-scope="per-lifetime-scope"
service="Orchard.FileSystems.Media.IStorageProvider"> service="Orchard.FileSystems.Media.IStorageProvider"
type="Orchard.FileSystems.Media.FileSystemStorageProvider, Orchard.Framework">
<properties> <properties>
<property name="MaxPathLength" value="500" /> <property name="MaxPathLength" value="500" />
</properties> </properties>
</component> </component>
*/
*/ public int MaxPathLength { get; set; }
}
/// <summary> /// <summary>
/// Maps a relative path into the storage path. /// Maps a relative path into the storage path.
@ -215,6 +222,12 @@ namespace Orchard.FileSystems.Media {
/// <param name="path">The relative path to the folder to be created.</param> /// <param name="path">The relative path to the folder to be created.</param>
/// <exception cref="ArgumentException">If the folder already exists.</exception> /// <exception cref="ArgumentException">If the folder already exists.</exception>
public void CreateFolder(string path) { public void CreateFolder(string path) {
// We are dealing with a folder here, but GetFileName returns the last path segment, which in this case is
// the folder name.
if (FolderNameContainsInvalidCharacters(Path.GetFileName(path))) {
throw new InvalidNameCharacterException(T("The directory name contains invalid character(s)").ToString());
}
DirectoryInfo directoryInfo = new DirectoryInfo(MapStorage(path)); DirectoryInfo directoryInfo = new DirectoryInfo(MapStorage(path));
if (directoryInfo.Exists) { if (directoryInfo.Exists) {
throw new ArgumentException(T("Directory {0} already exists", path).ToString()); throw new ArgumentException(T("Directory {0} already exists", path).ToString());
@ -248,6 +261,12 @@ namespace Orchard.FileSystems.Media {
throw new ArgumentException(T("Directory {0} does not exist", oldPath).ToString()); throw new ArgumentException(T("Directory {0} does not exist", oldPath).ToString());
} }
// We are dealing with a folder here, but GetFileName returns the last path segment, which in this case is
// the folder name.
if (FolderNameContainsInvalidCharacters(Path.GetFileName(newPath))) {
throw new InvalidNameCharacterException(T("The new directory name contains invalid character(s)").ToString());
}
DirectoryInfo targetDirectory = new DirectoryInfo(MapStorage(newPath)); DirectoryInfo targetDirectory = new DirectoryInfo(MapStorage(newPath));
if (targetDirectory.Exists) { if (targetDirectory.Exists) {
throw new ArgumentException(T("Directory {0} already exists", newPath).ToString()); throw new ArgumentException(T("Directory {0} already exists", newPath).ToString());
@ -313,6 +332,10 @@ namespace Orchard.FileSystems.Media {
throw new ArgumentException(T("File {0} does not exist", oldPath).ToString()); throw new ArgumentException(T("File {0} does not exist", oldPath).ToString());
} }
if (FileNameContainsInvalidCharacters(Path.GetFileName(newPath))) {
throw new InvalidNameCharacterException(T("The new file name contains invalid character(s)").ToString());
}
FileInfo targetFileInfo = new FileInfo(MapStorage(newPath)); FileInfo targetFileInfo = new FileInfo(MapStorage(newPath));
if (targetFileInfo.Exists) { if (targetFileInfo.Exists) {
throw new ArgumentException(T("File {0} already exists", newPath).ToString()); throw new ArgumentException(T("File {0} already exists", newPath).ToString());
@ -342,6 +365,10 @@ namespace Orchard.FileSystems.Media {
/// <exception cref="ArgumentException">If the file already exists.</exception> /// <exception cref="ArgumentException">If the file already exists.</exception>
/// <returns>The created file.</returns> /// <returns>The created file.</returns>
public IStorageFile CreateFile(string path) { public IStorageFile CreateFile(string path) {
if (FileNameContainsInvalidCharacters(Path.GetFileName(path))) {
throw new InvalidNameCharacterException(T("The file name contains invalid character(s)").ToString());
}
FileInfo fileInfo = new FileInfo(MapStorage(path)); FileInfo fileInfo = new FileInfo(MapStorage(path));
if (fileInfo.Exists) { if (fileInfo.Exists) {
throw new ArgumentException(T("File {0} already exists", fileInfo.Name).ToString()); throw new ArgumentException(T("File {0} already exists", fileInfo.Name).ToString());
@ -427,6 +454,12 @@ namespace Orchard.FileSystems.Media {
return (di.Attributes & FileAttributes.Hidden) != 0; return (di.Attributes & FileAttributes.Hidden) != 0;
} }
public static bool FolderNameContainsInvalidCharacters(string folderName) =>
folderName.IndexOfAny(InvalidFolderNameCharacters) > -1;
public static bool FileNameContainsInvalidCharacters(string fileName) =>
fileName.IndexOfAny(InvalidFileNameCharacters) > -1;
#endregion #endregion
private class FileSystemStorageFile : IStorageFile { private class FileSystemStorageFile : IStorageFile {

2
src/Orchard/FileSystems/Media/IStorageProvider.cs
View File

@ -128,7 +128,7 @@ namespace Orchard.FileSystems.Media {
void SaveStream(string path, Stream inputStream); void SaveStream(string path, Stream inputStream);
/// <summary> /// <summary>
/// Combines to paths. /// Combines two paths.
/// </summary> /// </summary>
/// <param name="path1">The parent path.</param> /// <param name="path1">The parent path.</param>
/// <param name="path2">The child path.</param> /// <param name="path2">The child path.</param>

7
src/Orchard/FileSystems/Media/InvalidNameCharacterException.cs Normal file
View File

@ -0,0 +1,7 @@
using System;
namespace Orchard.FileSystems.Media {
public class InvalidNameCharacterException : ArgumentException {
public InvalidNameCharacterException(string message) : base(message) { }
}
}

4
src/Orchard/FileSystems/Media/StorageProviderExtensions.cs
View File

@ -1,9 +1,5 @@
using System; using System;
using System.Collections.Generic;
using System.IO; using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace Orchard.FileSystems.Media { namespace Orchard.FileSystems.Media {
public static class StorageProviderExtensions { public static class StorageProviderExtensions {

2
src/Orchard/Orchard.Framework.csproj
View File

@ -45,7 +45,6 @@
<CodeAnalysisRuleSet>..\OrchardBasicCorrectness.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>..\OrchardBasicCorrectness.ruleset</CodeAnalysisRuleSet>
<Prefer32Bit>false</Prefer32Bit> <Prefer32Bit>false</Prefer32Bit>
<UseVSHostingProcess>false</UseVSHostingProcess> <UseVSHostingProcess>false</UseVSHostingProcess>
<NoWarn></NoWarn>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<DebugType>pdbonly</DebugType> <DebugType>pdbonly</DebugType>
@ -159,6 +158,7 @@
<Compile Include="Data\Migration\Schema\DropUniqueConstraintCommand.cs" /> <Compile Include="Data\Migration\Schema\DropUniqueConstraintCommand.cs" />
<Compile Include="Environment\Extensions\Models\LifecycleStatus.cs" /> <Compile Include="Environment\Extensions\Models\LifecycleStatus.cs" />
<Compile Include="Environment\ShellBuilders\ICompositionStrategy.cs" /> <Compile Include="Environment\ShellBuilders\ICompositionStrategy.cs" />
<Compile Include="FileSystems\Media\InvalidNameCharacterException.cs" />
<Compile Include="Mvc\ModelBinders\BooleanBinderProvider.cs" /> <Compile Include="Mvc\ModelBinders\BooleanBinderProvider.cs" />
<Compile Include="Mvc\Updater.cs" /> <Compile Include="Mvc\Updater.cs" />
<Compile Include="Recipes\Models\ConfigurationContext.cs" /> <Compile Include="Recipes\Models\ConfigurationContext.cs" />