Yajbir-Malik/DocumentServer-v-9.2.0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed directory traversal vulnerability

Browse Source 
removed unused components
This commit is contained in:
nikolay ivanov
2014-07-10 11:02:38 +00:00
parent 0b2e9eb57d
commit cba489e3d3
334 changed files with 23 additions and 73068 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
DocService/ResourceService.ashx
View File

@@ -58,9 +58,29 @@ public class ResourceService : IHttpAsyncHandler
Storage oStorage = new Storage();
TaskResult oTaskResult = new TaskResult();
string sPath = context.Request.Params["path"];
string sPathOriginal = context.Request.Params["path"];
string sPath = null;
if (null != sPathOriginal)
{
sPath = sPathOriginal.Replace("../", "").Replace("..\\", "");
if (sPathOriginal != sPath)
{
_log.Error("Possible XSS attack:" + sPathOriginal);
}
}
string sOutputFilename = context.Request.Params["filename"];
string sDeletePath = context.Request.Params["deletepath"];
string sDeletePathOriginal = context.Request.Params["deletepath"];
string sDeletePath = null;
if (null != sDeletePathOriginal)
{
sDeletePath = sDeletePathOriginal.Replace("../", "").Replace("..\\", "");
if (sDeletePathOriginal != sDeletePath)
{
_log.Error("Possible XSS attack:" + sDeletePathOriginal);
}
}
if (string.IsNullOrEmpty(sOutputFilename))
{
if (null != sPath)