trading
/
PTMagic
mirror of https://github.com/PTMagicians/PTMagic.git
2
0
Fork 0
Code Issues Releases Wiki Activity

Security fix to avoid using the assets folder when creating zips

This commit is contained in:
djbadders 2021-02-17 18:32:07 +00:00
parent 8bb359abbd
commit 03b2acdf43
2 changed files with 28 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Monitor/Pages/_get/DownloadFile.cshtml.cs
View File

@ -1,5 +1,7 @@
using System.Collections;
using Core.Main;
using System;
using System.Collections;
using System.IO;
using Microsoft.Net.Http.Headers;
using Core.Helper;
namespace Monitor.Pages {
@ -16,19 +18,29 @@ namespace Monitor.Pages {
}
}
private void InitializeDownload() {
private async void InitializeDownload() {
// Zip the file in an non web accessible folder
string fileName = GetStringParameter("f", "");
string tempFolder = PTMagicMonitorBasePath + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
if (System.IO.File.Exists(PTMagicBasePath + fileName)) {
if (!System.IO.Directory.Exists(PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar)) {
System.IO.Directory.CreateDirectory(PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar);
if (!System.IO.Directory.Exists(tempFolder)) {
System.IO.Directory.CreateDirectory(tempFolder);
}
string sourcefilePath = PTMagicBasePath + fileName;
string destinationFilePath = PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar + fileName + ".zip";
string destinationFilePath = tempFolder + fileName + ".zip";
ZIPHelper.CreateZipFile(new ArrayList() { sourcefilePath }, destinationFilePath);
Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "assets/tmp/" + fileName + ".zip");
// Write out the file
var data = System.IO.File.ReadAllBytes(destinationFilePath);
Response.ContentType = "application/zip";
Response.Headers[HeaderNames.CacheControl] = "no-cache";
Response.Headers[HeaderNames.ContentDisposition] = String.Format("attachment; filename={0}", fileName);
await Response.BodyWriter.WriteAsync(new Memory<byte>(data));
Response.BodyWriter.Complete();
}
}
}

8
Monitor/Startup.cs
View File

@ -7,6 +7,7 @@ using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Core.Main;
using Core.Helper;
using System.Runtime.InteropServices;
using System.Diagnostics;
@ -58,6 +59,13 @@ namespace Monitor
{
options.AllowSynchronousIO = true;
});
// Remove the old tmp folder if it exists
string oldTmpFolder = monitorBasePath + System.IO.Path.DirectorySeparatorChar + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
if (System.IO.Directory.Exists(oldTmpFolder))
{
System.IO.Directory.Delete(oldTmpFolder, true);
}
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.