alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-04-16 07:12:18 +01:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Merge pull request from GHSA-9p5f-5x8v-x65m

Browse Source 
Throw exception on path traversal in WriteDocumentAsync
This commit is contained in:
Joshua M. Boniface
2023-04-23 10:59:32 -04:00
committed by GitHub
parent d5a8419bc5 faac37bcf9
commit 82ad2633fd
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs
View File

@@ -23,6 +23,11 @@ namespace MediaBrowser.Controller.ClientEvent
{
var fileName = $"upload_{clientName}_{clientVersion}_{DateTime.UtcNow:yyyyMMddHHmmss}_{Guid.NewGuid():N}.log";
var logFilePath = Path.Combine(_applicationPaths.LogDirectoryPath, fileName);
if (!Path.GetFullPath(logFilePath).StartsWith(_applicationPaths.LogDirectoryPath, StringComparison.Ordinal))
{
throw new ArgumentException("Path resolved to filename not in log directory");
}
await using var fileStream = new FileStream(logFilePath, FileMode.CreateNew, FileAccess.Write, FileShare.None);
await fileContents.CopyToAsync(fileStream).ConfigureAwait(false);
return fileName;