diff options
| author | Luke Pulverenti <luke.pulverenti@gmail.com> | 2015-05-13 00:16:55 -0400 |
|---|---|---|
| committer | Luke Pulverenti <luke.pulverenti@gmail.com> | 2015-05-13 00:16:55 -0400 |
| commit | dca5101e46f501397bf6f3e0800a5d1b3b705710 (patch) | |
| tree | 4a9f1f0844ede389ded348177e5413f7ad1ec47f | |
| parent | 1483c3f8feb0211a6f224509b9a67d63bfe04fb5 (diff) | |
Prevent directory browsing
| -rw-r--r-- | MediaBrowser.WebDashboard/Api/PackageCreator.cs | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/MediaBrowser.WebDashboard/Api/PackageCreator.cs b/MediaBrowser.WebDashboard/Api/PackageCreator.cs index 34a7f0eac..18dc2cf51 100644 --- a/MediaBrowser.WebDashboard/Api/PackageCreator.cs +++ b/MediaBrowser.WebDashboard/Api/PackageCreator.cs @@ -102,7 +102,17 @@ namespace MediaBrowser.WebDashboard.Api /// <returns>System.String.</returns> private string GetDashboardResourcePath(string virtualPath) { - return Path.Combine(DashboardUIPath, virtualPath.Replace('/', Path.DirectorySeparatorChar)); + var rootPath = DashboardUIPath; + + var fullPath = Path.Combine(rootPath, virtualPath.Replace('/', Path.DirectorySeparatorChar)); + + // Don't allow file system access outside of the source folder + if (!_fileSystem.ContainsSubPath(rootPath, fullPath)) + { + throw new UnauthorizedAccessException(); + } + + return fullPath; } /// <summary> |