diff options
| -rw-r--r-- | MediaBrowser.WebDashboard/Api/PackageCreator.cs | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/MediaBrowser.WebDashboard/Api/PackageCreator.cs b/MediaBrowser.WebDashboard/Api/PackageCreator.cs index 34a7f0eac..18dc2cf51 100644 --- a/MediaBrowser.WebDashboard/Api/PackageCreator.cs +++ b/MediaBrowser.WebDashboard/Api/PackageCreator.cs @@ -102,7 +102,17 @@ namespace MediaBrowser.WebDashboard.Api /// <returns>System.String.</returns> private string GetDashboardResourcePath(string virtualPath) { - return Path.Combine(DashboardUIPath, virtualPath.Replace('/', Path.DirectorySeparatorChar)); + var rootPath = DashboardUIPath; + + var fullPath = Path.Combine(rootPath, virtualPath.Replace('/', Path.DirectorySeparatorChar)); + + // Don't allow file system access outside of the source folder + if (!_fileSystem.ContainsSubPath(rootPath, fullPath)) + { + throw new UnauthorizedAccessException(); + } + + return fullPath; } /// <summary> |