From dca5101e46f501397bf6f3e0800a5d1b3b705710 Mon Sep 17 00:00:00 2001
From: Luke Pulverenti <luke.pulverenti@gmail.com>
Date: Wed, 13 May 2015 00:16:55 -0400
Subject: [PATCH] Prevent directory browsing

---
 MediaBrowser.WebDashboard/Api/PackageCreator.cs | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/MediaBrowser.WebDashboard/Api/PackageCreator.cs b/MediaBrowser.WebDashboard/Api/PackageCreator.cs
index 34a7f0eace..18dc2cf51e 100644
--- a/MediaBrowser.WebDashboard/Api/PackageCreator.cs
+++ b/MediaBrowser.WebDashboard/Api/PackageCreator.cs
@@ -102,7 +102,17 @@ namespace MediaBrowser.WebDashboard.Api
         /// <returns>System.String.</returns>
         private string GetDashboardResourcePath(string virtualPath)
         {
-            return Path.Combine(DashboardUIPath, virtualPath.Replace('/', Path.DirectorySeparatorChar));
+            var rootPath = DashboardUIPath;
+
+            var fullPath = Path.Combine(rootPath, virtualPath.Replace('/', Path.DirectorySeparatorChar));
+
+            // Don't allow file system access outside of the source folder
+            if (!_fileSystem.ContainsSubPath(rootPath, fullPath))
+            {
+                throw new UnauthorizedAccessException();
+            }
+
+            return fullPath;
         }
 
         /// <summary>