From 05cb30d79c218c88af96cd1d903db579c876e69a Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Wed, 4 Jan 2017 17:01:26 +0100 Subject: [PATCH 1/2] Trim the file name so that it doesn't get accepted by the server if it's a disallowed file --- .../Editors/ContentControllerBase.cs | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/src/Umbraco.Web/Editors/ContentControllerBase.cs b/src/Umbraco.Web/Editors/ContentControllerBase.cs index 495217cec2..ab3145cd79 100644 --- a/src/Umbraco.Web/Editors/ContentControllerBase.cs +++ b/src/Umbraco.Web/Editors/ContentControllerBase.cs @@ -88,35 +88,37 @@ namespace Umbraco.Web.Editors where TPersisted : IContentBase { //Map the property values - foreach (var p in contentItem.ContentDto.Properties) + foreach (var property in contentItem.ContentDto.Properties) { //get the dbo property - var dboProperty = contentItem.PersistedContent.Properties[p.Alias]; + var dboProperty = contentItem.PersistedContent.Properties[property.Alias]; //create the property data to send to the property editor - var d = new Dictionary(); + var dictionary = new Dictionary(); //add the files if any - var files = contentItem.UploadedFiles.Where(x => x.PropertyAlias == p.Alias).ToArray(); - if (files.Length > 0) - { - d.Add("files", files); - } + var files = contentItem.UploadedFiles.Where(x => x.PropertyAlias == property.Alias).ToArray(); + + foreach (var file in files) + file.FileName = file.FileName.TrimEnd(); + + if (files.Any()) + dictionary.Add("files", files); - var data = new ContentPropertyData(p.Value, p.PreValues, d); + var data = new ContentPropertyData(property.Value, property.PreValues, dictionary); //get the deserialized value from the property editor - if (p.PropertyEditor == null) + if (property.PropertyEditor == null) { - LogHelper.Warn("No property editor found for property " + p.Alias); + LogHelper.Warn("No property editor found for property " + property.Alias); } else { - var valueEditor = p.PropertyEditor.ValueEditor; + var valueEditor = property.PropertyEditor.ValueEditor; //don't persist any bound value if the editor is readonly if (valueEditor.IsReadOnly == false) { - var propVal = p.PropertyEditor.ValueEditor.ConvertEditorToDb(data, dboProperty.Value); - var supportTagsAttribute = TagExtractor.GetAttribute(p.PropertyEditor); + var propVal = property.PropertyEditor.ValueEditor.ConvertEditorToDb(data, dboProperty.Value); + var supportTagsAttribute = TagExtractor.GetAttribute(property.PropertyEditor); if (supportTagsAttribute != null) { TagExtractor.SetPropertyTags(dboProperty, data, propVal, supportTagsAttribute); From 2196ab3713f3e9d655ca13fdb4ce0b30d7586bff Mon Sep 17 00:00:00 2001 From: Claus Date: Thu, 5 Jan 2017 11:10:21 +0100 Subject: [PATCH 2/2] changing this to use ToSafeFileName instead of just trimming for blank characters. issuing a request with any character not allowed in a file path, appended to the filename - allows you to trick the validation like with the blank characters appended. --- src/Umbraco.Web/Editors/ContentControllerBase.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Umbraco.Web/Editors/ContentControllerBase.cs b/src/Umbraco.Web/Editors/ContentControllerBase.cs index ab3145cd79..0cddb6fcd5 100644 --- a/src/Umbraco.Web/Editors/ContentControllerBase.cs +++ b/src/Umbraco.Web/Editors/ContentControllerBase.cs @@ -99,7 +99,7 @@ namespace Umbraco.Web.Editors var files = contentItem.UploadedFiles.Where(x => x.PropertyAlias == property.Alias).ToArray(); foreach (var file in files) - file.FileName = file.FileName.TrimEnd(); + file.FileName = file.FileName.ToSafeFileName(); if (files.Any()) dictionary.Add("files", files);