Check for path traversal before uploading file

Martin Bentancour · mikecp · commit dfdb498537a6 · 2021-10-29T14:12:46.000+02:00
diff --git a/src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs b/src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs
@@ -590,32 +590,41 @@ public ActionResult<ContentTypeImportModel> Upload(List<IFormFile> file)
 
                 var root = _hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempFileUploads);
                 var tempPath = Path.Combine(root,fileName);
-
-                using (var stream = System.IO.File.Create(tempPath))
-                {
-                    formFile.CopyToAsync(stream).GetAwaiter().GetResult();
-                }
-
-                if (ext.InvariantEquals("udt"))
+                if (Path.GetFullPath(tempPath).StartsWith(Path.GetFullPath(root)))
                 {
-                    model.TempFileName = Path.Combine(root, fileName);
+                    using (var stream = System.IO.File.Create(tempPath))
+                    {
+                        formFile.CopyToAsync(stream).GetAwaiter().GetResult();
+                    }
 
-                    var xd = new XmlDocument
+                    if (ext.InvariantEquals("udt"))
                     {
-                        XmlResolver = null
-                    };
-                    xd.Load(model.TempFileName);
+                        model.TempFileName = Path.Combine(root, fileName);
 
-                    model.Alias = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Alias")?.FirstChild.Value;
-                    model.Name = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Name")?.FirstChild.Value;
-                }
-                else
+                        var xd = new XmlDocument
+                        {
+                            XmlResolver = null
+                        };
+                        xd.Load(model.TempFileName);
+
+                        model.Alias = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Alias")?.FirstChild.Value;
+                        model.Name = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Name")?.FirstChild.Value;
+                    }
+                    else
+                    {
+                        model.Notifications.Add(new BackOfficeNotification(
+                            _localizedTextService.Localize("speechBubbles", "operationFailedHeader"),
+                            _localizedTextService.Localize("media", "disallowedFileType"),
+                            NotificationStyle.Warning));
+                    }
+                }else
                 {
                     model.Notifications.Add(new BackOfficeNotification(
-                        _localizedTextService.Localize("speechBubbles","operationFailedHeader"),
-                        _localizedTextService.Localize("media","disallowedFileType"),
+                        _localizedTextService.Localize("speechBubbles", "operationFailedHeader"),
+                        _localizedTextService.Localize("media", "invalidFileName"),
                         NotificationStyle.Warning));
                 }
+
             }
 
 
diff --git a/src/Umbraco.Web.UI/umbraco/config/lang/en.xml b/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
@@ -325,6 +325,7 @@
     <key alias="clickToUpload">Click to upload</key>
     <key alias="orClickHereToUpload">or click here to choose files</key>
     <key alias="disallowedFileType">Cannot upload this file, it does not have an approved file type</key>
+    <key alias="invalidFileName">Cannot upload this file, it does not have a valid file name</key>
     <key alias="maxFileSize">Max file size is</key>
     <key alias="mediaRoot">Media root</key>
     <key alias="createFolderFailed">Failed to create a folder under parent id %0%</key>
diff --git a/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml b/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
@@ -329,6 +329,7 @@
     <key alias="clickToUpload">Click to upload</key>
     <key alias="orClickHereToUpload">or click here to choose files</key>
     <key alias="disallowedFileType">Cannot upload this file, it does not have an approved file type</key>
+    <key alias="invalidFileName">Cannot upload this file, it does not have a valid file name</key>
     <key alias="maxFileSize">Max file size is</key>
     <key alias="mediaRoot">Media root</key>
     <key alias="moveToSameFolderFailed">Parent and destination folders cannot be the same</key>
