ValidatePath problem with files named "con.(something else)". #6802
Milestone
Comments
|
We need to ensure why there is this behavior in the first place before deciding on the solution. |
|
According to this MSDN page, : Do not use the following reserved names for the name of a file: |
|
Then I assume we can add a list with all these exceptions and validate the the file names don't contain it. I am not sure if we can expose a meaningful message though. Or could it be at a layer closer to the UI where users can provide filename. |
|
@sebastienros I think we just need to throw an exception to indicate the given path is invalid and the hosted environment is on a Windows platform. Any caller down the call stack can catch this type of exception and display whatever info it wants. Here is what I propose to do:
|
jchenga
added a commit
to jchenga/Orchard
that referenced
this issue
May 25, 2016
jchenga
added a commit
to jchenga/Orchard
that referenced
this issue
Jun 7, 2016
BenedekFarkas
added a commit
that referenced
this issue
Jun 28, 2023
* Fixing that RecipeManagerTests failed due to HttpContext not being available * Fixing OwnerEditor tests in CommonPartProviderTests as the owner editor now checks for a different permission since 5b0c82d * Fixing typo in CommonPartProviderTests.UpdateModelStub class name * Fixing that test cases for invalid path in FileSystemStorageProviderTests broke in a3e9bef (issue #6802, PR #6919) I should review PRs more carefully! * Fixing CurrentCultureWorkContextTests * Fixing indentation in DefaultDateFormatterTests * Updating Orchard.Azure.Web's required version of System.Web.Mvc to match the rest of the solution * Orchard.Specs: Fixing assembly loading errors when starting up the web host by adding binding redirects * Adding empty compile workflow from dev * Adding the compile workflow's actual contents * Changing default shell to pwsh (msbuild was not found in cmd?) * Adding msbuild to PATH * Removing unused references to System.Net.Http * Replacing System.Net.Http references with its NuGet package to pin the correct version number (experimental) * Upgrading Microsoft.CodeDom.Providers.DotNetCompilerPlatform to 4.1.0 (latest) to get rid of old System.Http.Net dependency * Orchard.proj: Spec target actually depends on only the Compile target, not Package-Stage (experimental) * Compile workflow: Testing the Test and Spec targets * Fixing Test step * Fixing compile workflow to also mark Razor compilation warnings as errors * Restoring Orchard.Specs/Hosting/Orchard.Web/Web.config to match Orchard.Web's web.config closer so that it loads assemblies from the Dependencies folder. This fixes the error with Autofac not being able to resolve dependencies for DefaultOrchardShell * Orchard.Specs/Hosting/Orchard.Web/Global.asax.cs: Workaround for AntiForgeryToken bug in ASP.NET MVC since version 5.2.4 aspnet/AspNetWebStack#162 * Revert "Replacing System.Net.Http references with its NuGet package to pin the correct version number (experimental)" This reverts commit 087f284. * Revert "Upgrading Microsoft.CodeDom.Providers.DotNetCompilerPlatform to 4.1.0 (latest) to get rid of old System.Http.Net dependency" This reverts commit be2ba86. * Reverting the addition of assembly binding redirects to Orchard.Specs/Hosting/Simple.Web/Web.config since it doesn't need them like Orchard.Specs/Hosting/Orchard.Web/Web.config does * Disabling Test and Spec execution for now * Orchard.Framework: Making the System.Net.Http not-private to prevent an outdated version sticking around * Orchard.Workflows: Adding assembly binding redirect for System.Net.Http to avoid Razor compilation warning * Moving the System.Net.Http assembly redirect to Orchard.Web * Specs: Fixing "I can create browse blog posts on several pages" Blog test's usage of "I should not see" and correcting the parameters too because unlike "I should see", this is not a regex match, just contains * Specs: Fixing "I can create browse blog posts on several pages" Blog test's flakyness due to timing because the blog posts are created quickly after one another and the lack of millisecond-precision can cause the blog posts to appear out of order of creation * Specs: Media test simplified since the Orchard.Media feature is deprecated * Adding step to the Compile workflow to upload the MSBuild binlog results * Pinning the referenced version of System.Net.Http to 4.2.0.0 to prevent Razor compilation warning System.Net.Http is known to have such problems across different framework versions ways of referencing it The original warning is: ASPNETCOMPILER : error : The following assembly has dependencies on a version of the .NET Framework that is higher than the target and might not load correctly during runtime causing a failure: Orchard.Workflows, Version=1.10.3.0, Culture=neutral, PublicKeyToken=null. The dependencies are: System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a. You should either ensure that the dependent assembly is correct for the target framework, or ensure that the target framework you are addressing is that of the dependent assembly. [D:\a\Orchard\Orchard\src\Orchard.Web\Modules\Orchard.Workflows\Orchard.Workflows.csproj * Re-enabling the Test step * Re-enabling the Specs step * Marking System.Net.Http references as private (copy local) to make sure that it's always available, because it requires a specific version * Revert "Marking System.Net.Http references as private (copy local) to make sure that it's always available, because it requires a specific version" This reverts commit e4f5632. * Orchard.Specs: Adding Settings feature * Orchard.Specs: Updating DateTime.CreatingAndUsingDateTimeFieldsInAnotherCulture structure without functional change * Orchard.Specs: Updating Settings.AddingANewSiteCultureAndSelectingItAsTheDefaultWorks to correctly detect that a culture that wasn't added before can be set as default * Fixing Newtonsoft.Json references * Specs: Workaround for the DefineDefaultCulture binding and removing the Settings feature which is now redundant with CreatingAndUsingDateTimeFieldsInAnotherCulture * Updating the compile workflow to run the build + tests on PR, dev and 1.10.x commits * Adding the compile workflow to the solution
BenedekFarkas
added a commit
that referenced
this issue
Mar 8, 2024
* Fixing that RecipeManagerTests failed due to HttpContext not being available * Fixing OwnerEditor tests in CommonPartProviderTests as the owner editor now checks for a different permission since 5b0c82d * Fixing typo in CommonPartProviderTests.UpdateModelStub class name * Fixing that test cases for invalid path in FileSystemStorageProviderTests broke in a3e9bef (issue #6802, PR #6919) I should review PRs more carefully! * Fixing CurrentCultureWorkContextTests * Fixing indentation in DefaultDateFormatterTests * Updating Orchard.Azure.Web's required version of System.Web.Mvc to match the rest of the solution * Orchard.Specs: Fixing assembly loading errors when starting up the web host by adding binding redirects * Adding empty compile workflow from dev * Adding the compile workflow's actual contents * Changing default shell to pwsh (msbuild was not found in cmd?) * Adding msbuild to PATH * Removing unused references to System.Net.Http * Replacing System.Net.Http references with its NuGet package to pin the correct version number (experimental) * Upgrading Microsoft.CodeDom.Providers.DotNetCompilerPlatform to 4.1.0 (latest) to get rid of old System.Http.Net dependency * Orchard.proj: Spec target actually depends on only the Compile target, not Package-Stage (experimental) * Compile workflow: Testing the Test and Spec targets * Fixing Test step * Fixing compile workflow to also mark Razor compilation warnings as errors * Restoring Orchard.Specs/Hosting/Orchard.Web/Web.config to match Orchard.Web's web.config closer so that it loads assemblies from the Dependencies folder. This fixes the error with Autofac not being able to resolve dependencies for DefaultOrchardShell * Orchard.Specs/Hosting/Orchard.Web/Global.asax.cs: Workaround for AntiForgeryToken bug in ASP.NET MVC since version 5.2.4 aspnet/AspNetWebStack#162 * Revert "Replacing System.Net.Http references with its NuGet package to pin the correct version number (experimental)" This reverts commit 087f284. * Revert "Upgrading Microsoft.CodeDom.Providers.DotNetCompilerPlatform to 4.1.0 (latest) to get rid of old System.Http.Net dependency" This reverts commit be2ba86. * Reverting the addition of assembly binding redirects to Orchard.Specs/Hosting/Simple.Web/Web.config since it doesn't need them like Orchard.Specs/Hosting/Orchard.Web/Web.config does * Disabling Test and Spec execution for now * Orchard.Framework: Making the System.Net.Http not-private to prevent an outdated version sticking around * Orchard.Workflows: Adding assembly binding redirect for System.Net.Http to avoid Razor compilation warning * Moving the System.Net.Http assembly redirect to Orchard.Web * Specs: Fixing "I can create browse blog posts on several pages" Blog test's usage of "I should not see" and correcting the parameters too because unlike "I should see", this is not a regex match, just contains * Specs: Fixing "I can create browse blog posts on several pages" Blog test's flakyness due to timing because the blog posts are created quickly after one another and the lack of millisecond-precision can cause the blog posts to appear out of order of creation * Specs: Media test simplified since the Orchard.Media feature is deprecated * Adding step to the Compile workflow to upload the MSBuild binlog results * Pinning the referenced version of System.Net.Http to 4.2.0.0 to prevent Razor compilation warning System.Net.Http is known to have such problems across different framework versions ways of referencing it The original warning is: ASPNETCOMPILER : error : The following assembly has dependencies on a version of the .NET Framework that is higher than the target and might not load correctly during runtime causing a failure: Orchard.Workflows, Version=1.10.3.0, Culture=neutral, PublicKeyToken=null. The dependencies are: System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a. You should either ensure that the dependent assembly is correct for the target framework, or ensure that the target framework you are addressing is that of the dependent assembly. [D:\a\Orchard\Orchard\src\Orchard.Web\Modules\Orchard.Workflows\Orchard.Workflows.csproj * Re-enabling the Test step * Re-enabling the Specs step * Marking System.Net.Http references as private (copy local) to make sure that it's always available, because it requires a specific version * Revert "Marking System.Net.Http references as private (copy local) to make sure that it's always available, because it requires a specific version" This reverts commit e4f5632. * Orchard.Specs: Adding Settings feature * Orchard.Specs: Updating DateTime.CreatingAndUsingDateTimeFieldsInAnotherCulture structure without functional change * Orchard.Specs: Updating Settings.AddingANewSiteCultureAndSelectingItAsTheDefaultWorks to correctly detect that a culture that wasn't added before can be set as default * Fixing outdated assembly binding redirects * Fixing Newtonsoft.Json references * Updating Newtonsoft.Json reference in Orchard.Messaging.Tests.csproj * Disabling the Test step for now * Adding System.Net.Http 4.2.0.0 reference to Orchard.Email's web.config to fix Razor compilation warning * Re-enabling the Test step * Fixing HqlExpressionTests.AllDataTypesCanBeQueried * Fixing initialization error error in StylesheetBindingStrategyTests * Fixing initialization errors in FeatureManagerTests * Fixing Orchard.Tests.Localization.TextTests * Code styling and fixing warning in Orchard.Tests/UI/Resources/ResourceManagerTests.cs * Updating Orchard.Tests/UI/Resources/ResourceManagerTests.cs according to ResourceManager API change in ac11024 and removing obsolete tests * Orchard.Tests.Modules: Adding missing reference to Iesi.Collections (that doesn't cause a build error, just when running tests) * Fixing initialization errors in ModuleStepTest and ThemeStepTest * Fixing initialization errors in ShellDescriptorManagerTests * Fixing initialization errors in AccountControllerTests * Fixing that MembershipServiceTests should use IPasswordService, also making SaltAndPasswordShouldBeDifferentEvenWithSameSourcePassword test parameters more readable * Specs: Updating the Newtonsoft.Json binding redirect in the spec app's web.config * Re-enabling the Spec step * Upgrading actions to latest versions These actions generated the Node.js 16 deprecation warning * Removing SpecFlow test execution from the compile workflow * Testing the branch strategy matrix concept to be used for the nightly build * Revert "Testing the branch strategy matrix concept to be used for the nightly build" This reverts commit 1354e36. * Adding workflow to run specflow tests as a nightly build * Updating Orchard.Tests.ContentManagement.HqlExpressionTests.ShouldSortRandomly to decrease failure chance due to randomness
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I call ValidatePath(@"D:\ConsoleApplication1\ConsoleApplication1",@"D:\ConsoleApplication1\ConsoleApplication1\bin\Debug\con.img.jpg") I get an ArgumentException("Invalid path")
Problem is I have found .Net method Path.GetFullPath doesn't work properly with filenames equals to "con" or that start with "con.". This could be because "con" is something of the operating system (not sure)
Here is a sample of the output I get calling Path.GetFullPath:
So I would need to add a patch here: https://github.com/OrchardCMS/Orchard/blob/dev/src/Orchard/Validation/PathValidation.cs to support files with "con.". Any proposal that doesn't compromise security?
The text was updated successfully, but these errors were encountered: