Security fix to avoid using the assets folder when creating zips
This commit is contained in:
djbadders
parent
8bb359abbd
commit
03b2acdf43
|
|
@ -1,5 +1,7 @@
|
|||
using System.Collections;
|
||||
using Core.Main;
|
||||
using System;
|
||||
using System.Collections;
|
||||
using System.IO;
|
||||
using Microsoft.Net.Http.Headers;
|
||||
using Core.Helper;
|
||||
|
||||
namespace Monitor.Pages {
|
||||
|
|
@ -16,19 +18,29 @@ namespace Monitor.Pages {
|
|||
}
|
||||
}
|
||||
|
||||
private void InitializeDownload() {
|
||||
private async void InitializeDownload() {
|
||||
// Zip the file in an non web accessible folder
|
||||
string fileName = GetStringParameter("f", "");
|
||||
string tempFolder = PTMagicMonitorBasePath + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
|
||||
|
||||
if (System.IO.File.Exists(PTMagicBasePath + fileName)) {
|
||||
if (!System.IO.Directory.Exists(PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar)) {
|
||||
System.IO.Directory.CreateDirectory(PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar);
|
||||
if (!System.IO.Directory.Exists(tempFolder)) {
|
||||
System.IO.Directory.CreateDirectory(tempFolder);
|
||||
}
|
||||
|
||||
string sourcefilePath = PTMagicBasePath + fileName;
|
||||
string destinationFilePath = PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar + fileName + ".zip";
|
||||
string destinationFilePath = tempFolder + fileName + ".zip";
|
||||
|
||||
ZIPHelper.CreateZipFile(new ArrayList() { sourcefilePath }, destinationFilePath);
|
||||
|
||||
Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "assets/tmp/" + fileName + ".zip");
|
||||
// Write out the file
|
||||
var data = System.IO.File.ReadAllBytes(destinationFilePath);
|
||||
|
||||
Response.ContentType = "application/zip";
|
||||
Response.Headers[HeaderNames.CacheControl] = "no-cache";
|
||||
Response.Headers[HeaderNames.ContentDisposition] = String.Format("attachment; filename={0}", fileName);
|
||||
await Response.BodyWriter.WriteAsync(new Memory<byte>(data));
|
||||
Response.BodyWriter.Complete();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ using Microsoft.Extensions.Configuration;
|
|||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.AspNetCore.Server.Kestrel.Core;
|
||||
using Core.Main;
|
||||
using Core.Helper;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Diagnostics;
|
||||
|
||||
|
|
@ -58,6 +59,13 @@ namespace Monitor
|
|||
{
|
||||
options.AllowSynchronousIO = true;
|
||||
});
|
||||
|
||||
// Remove the old tmp folder if it exists
|
||||
string oldTmpFolder = monitorBasePath + System.IO.Path.DirectorySeparatorChar + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
|
||||
if (System.IO.Directory.Exists(oldTmpFolder))
|
||||
{
|
||||
System.IO.Directory.Delete(oldTmpFolder, true);
|
||||
}
|
||||
}
|
||||
|
||||
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
|
||||
|
|
@ -77,7 +85,7 @@ namespace Monitor
|
|||
// Configure request pipeline
|
||||
app.UseStaticFiles();
|
||||
app.UseSession();
|
||||
app.UseMvcWithDefaultRoute();
|
||||
app.UseMvcWithDefaultRoute();
|
||||
|
||||
// Open the browser
|
||||
if (systemConfiguration.GeneralSettings.Monitor.OpenBrowserOnStart) OpenBrowser("http://localhost:" + systemConfiguration.GeneralSettings.Monitor.Port.ToString());
|
||||
|
|
|
|||
Loading…
Reference in New Issue