Merge commit from fork

* Ensure imported dictionary item is only processed from the expected temporary uploads folder. * Ensured content type upload input is only a file and not a string that can be interpretted as a file path. * Amend dictionary import to extract file name and prepend path rather than rely on provided path. * Tidied usings. * Ensure file name cannot contain path separator characters.

Author: AndyButland

src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs

@@ -674,8 +674,21 @@ public IActionResult Export(int id)
 [Authorize(Policy=AuthorizationPolicies.TreeAccessDocumentTypes)]
 publicIActionResultImport(stringfile)
 {
+if(string.IsNullOrWhiteSpace(file))
+{
+returnNotFound();
+}
+
+// The incoming 'file' parameter we expect to contain the just a file name and extension.
+// We accept only this and no input parameters containing paths, to prevent any path based security exploits.
+varinvalidFileNameChars=Path.GetInvalidFileNameChars();
+if(file.IndexOfAny(invalidFileNameChars)>=0||file.Contains(Path.DirectorySeparatorChar)||file.Contains(Path.AltDirectorySeparatorChar))
+{
+returnNotFound();
+}
+
 varfilePath=Path.Combine(_hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempFileUploads),file);
-if(string.IsNullOrEmpty(file)||!System.IO.File.Exists(filePath))
+if(System.IO.File.Exists(filePath)isfalse)
 {
 returnNotFound();
 }

src/Umbraco.Web.BackOffice/Controllers/DictionaryController.cs

@@ -1,27 +1,27 @@
-usingSystem.Xml;
 usingSystem.Globalization;
 usingSystem.Net.Mime;
 usingSystem.Text;
+usingSystem.Xml;
+usingSystem.Xml.Linq;
 usingMicrosoft.AspNetCore.Authorization;
+usingMicrosoft.AspNetCore.Http;
 usingMicrosoft.AspNetCore.Mvc;
+usingMicrosoft.Extensions.DependencyInjection;
 usingMicrosoft.Extensions.Logging;
 usingMicrosoft.Extensions.Options;
 usingUmbraco.Cms.Core;
 usingUmbraco.Cms.Core.Configuration.Models;
 usingUmbraco.Cms.Core.DependencyInjection;
+usingUmbraco.Cms.Core.Hosting;
 usingUmbraco.Cms.Core.Mapping;
 usingUmbraco.Cms.Core.Models;
 usingUmbraco.Cms.Core.Models.ContentEditing;
-usingUmbraco.Cms.Core.Hosting;
 usingUmbraco.Cms.Core.Security;
 usingUmbraco.Cms.Core.Services;
+usingUmbraco.Cms.Infrastructure.Packaging;
 usingUmbraco.Cms.Web.Common.Attributes;
 usingUmbraco.Cms.Web.Common.Authorization;
 usingUmbraco.Extensions;
-usingUmbraco.Cms.Infrastructure.Packaging;
-usingSystem.Xml.Linq;
-usingMicrosoft.AspNetCore.Http;
-usingMicrosoft.Extensions.DependencyInjection;
 
 namespaceUmbraco.Cms.Web.BackOffice.Controllers;
 
@@ -460,7 +460,17 @@ public IActionResult ImportDictionary(string file, int parentId)
 returnNotFound();
 }
 
-varfilePath=Path.Combine(_hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.Data),file);
+// The incoming 'file' parameter we expect to contain the full path to the uploaded file.
+// We accept only files coming from the uploads folder to prevent any path based security exploits.
+varfileName=Path.GetFileName(file);
+varinvalidFileNameChars=Path.GetInvalidFileNameChars();
+if(fileName.IndexOfAny(invalidFileNameChars)>=0||fileName.Contains(Path.DirectorySeparatorChar)||fileName.Contains(Path.AltDirectorySeparatorChar))
+{
+returnNotFound();
+}
+
+varroot=_hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempFileUploads);
+varfilePath=Path.Combine(root,fileName);
 if(!System.IO.File.Exists(filePath))
 {
 returnNotFound();