Merge branch 'v10/dev' into v10/feature/nullable-reference-types-in-Umbraco.Web.Backoffice

# Conflicts: # src/Umbraco.Core/Cache/MacroCacheRefresher.cs # src/Umbraco.Core/Services/MacroService.cs # src/Umbraco.Core/StaticApplicationLogging.cs # src/Umbraco.Infrastructure/Migrations/Install/DatabaseDataCreator.cs # src/Umbraco.Infrastructure/Persistence/Repositories/Implement/MacroRepository.cs # src/Umbraco.Infrastructure/Persistence/Repositories/Implement/TrackedReferencesRepository.cs # src/Umbraco.Infrastructure/PropertyEditors/GridPropertyEditor.cs # src/Umbraco.Infrastructure/Security/UmbracoPasswordHasher.cs # src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs
2022-04-05 08:51:08 +02:00
parent acf60ce84c d12602ec90
commit a6128bfe8e
76 changed files with 2021 additions and 571 deletions
--- a/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs
@@ -1,9 +1,11 @@
 using System;
 using System.IO;
+using System.Web;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Core.IO;
 using Umbraco.Cms.Core.Media;
 using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Strings;
 using Umbraco.Cms.Web.Common.Attributes;
 using Umbraco.Extensions;
 using Constants = Umbraco.Cms.Core.Constants;
@@ -53,10 +55,15 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
        /// </remarks>
        public IActionResult GetResized(string imagePath, int width)
        {
-            var ext = Path.GetExtension(imagePath);
+            // We have to use HttpUtility to encode the path here, for non-ASCII characters
+            // We cannot use the WebUtility, as we only want to encode the path, and not the entire string
+            var encodedImagePath = HttpUtility.UrlPathEncode(imagePath);
+
+
+            var ext = Path.GetExtension(encodedImagePath);

            // check if imagePath is local to prevent open redirect
-            if (!Uri.IsWellFormedUriString(imagePath, UriKind.Relative))
+            if (!Uri.IsWellFormedUriString(encodedImagePath, UriKind.Relative))
            {
                return Unauthorized();
            }
@@ -82,7 +89,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
            }

            var rnd = imageLastModified.HasValue ? $"&rnd={imageLastModified:yyyyMMddHHmmss}" : null;
-            var imageUrl = _imageUrlGenerator.GetImageUrl(new ImageUrlGenerationOptions(imagePath)
+            var imageUrl = _imageUrlGenerator.GetImageUrl(new ImageUrlGenerationOptions(encodedImagePath)
            {
                Width = width,
                ImageCropMode = ImageCropMode.Max,