From faac37bcf9f3497ada36747ede180c6a0c2b7aa1 Mon Sep 17 00:00:00 2001 From: David Ullmer Date: Tue, 11 Apr 2023 18:30:59 +0200 Subject: [PATCH] Throw exception on path traversal in WriteDocumentAsync This commit is not tested on a Windows machine. I however checked the same behavior with UNIX paths and a client name resembling path traversal path. With this change, an exception is thrown if the full path does not start with the log directory path. --- MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs b/MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs index dea1c2f32a..f196bb0f0f 100644 --- a/MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs +++ b/MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs @@ -23,6 +23,11 @@ namespace MediaBrowser.Controller.ClientEvent { var fileName = $"upload_{clientName}_{clientVersion}_{DateTime.UtcNow:yyyyMMddHHmmss}_{Guid.NewGuid():N}.log"; var logFilePath = Path.Combine(_applicationPaths.LogDirectoryPath, fileName); + if (!Path.GetFullPath(logFilePath).StartsWith(_applicationPaths.LogDirectoryPath, StringComparison.Ordinal)) + { + throw new ArgumentException("Path resolved to filename not in log directory"); + } + await using var fileStream = new FileStream(logFilePath, FileMode.CreateNew, FileAccess.Write, FileShare.None); await fileContents.CopyToAsync(fileStream).ConfigureAwait(false); return fileName;