Cutlery/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-07-09 03:04:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

Throw exception on path traversal in WriteDocumentAsync

Browse Source 
This commit is not tested on a Windows machine. I however checked the
same behavior with UNIX paths and a client name resembling path traversal
path. With this change, an exception is thrown if the full path does not
start with the log directory path.
This commit is contained in:
David Ullmer 2023-04-11 18:30:59 +02:00
parent 5921379a29
commit faac37bcf9
No known key found for this signature in database
GPG Key ID: 4AEABE3359D5883C
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs
View File

@ -23,6 +23,11 @@ namespace MediaBrowser.Controller.ClientEvent
{ {
var fileName = $"upload_{clientName}_{clientVersion}_{DateTime.UtcNow:yyyyMMddHHmmss}_{Guid.NewGuid():N}.log"; var fileName = $"upload_{clientName}_{clientVersion}_{DateTime.UtcNow:yyyyMMddHHmmss}_{Guid.NewGuid():N}.log";
var logFilePath = Path.Combine(_applicationPaths.LogDirectoryPath, fileName); var logFilePath = Path.Combine(_applicationPaths.LogDirectoryPath, fileName);
if (!Path.GetFullPath(logFilePath).StartsWith(_applicationPaths.LogDirectoryPath, StringComparison.Ordinal))
{
throw new ArgumentException("Path resolved to filename not in log directory");
}
await using var fileStream = new FileStream(logFilePath, FileMode.CreateNew, FileAccess.Write, FileShare.None); await using var fileStream = new FileStream(logFilePath, FileMode.CreateNew, FileAccess.Write, FileShare.None);
await fileContents.CopyToAsync(fileStream).ConfigureAwait(false); await fileContents.CopyToAsync(fileStream).ConfigureAwait(false);
return fileName; return fileName;