private void FillImageInfo(Stream fileStream, ref Services.FileSystem.FileInfo fileInfo)
{
var imageExtensions = new FileExtensionWhitelist(Common.Globals.glbImageFileTypes);
if (imageExtensions.IsAllowedExtension(fileInfo.Extension))
{
System.Drawing.Image img = null;
try
{
img = System.Drawing.Image.FromStream(fileStream);
fileInfo.Size = fileStream.Length > int.MaxValue ? int.MaxValue : int.Parse(fileStream.Length.ToString(CultureInfo.InvariantCulture));
fileInfo.Width = img.Width;
fileInfo.Height = img.Height;
}
catch
{
// error loading image file
fileInfo.ContentType = "application/octet-stream";
}
finally
{
if (img != null)
{
img.Dispose();
}
}
}
}
public CheckResult Execute()
{
var result = new CheckResult(SeverityEnum.Unverified, Id);
var allowedExtensions = new FileExtensionWhitelist(HostController.Instance.GetString("FileExtensions"));
try
{
if (allowedExtensions.IsAllowedExtension("asp") ||
allowedExtensions.IsAllowedExtension("aspx") ||
allowedExtensions.IsAllowedExtension("php"))
{
result.Severity = SeverityEnum.Failure;
result.Notes.Add("Extensions: " + allowedExtensions.ToDisplayString());
}
else
{
result.Severity = SeverityEnum.Pass;
}
}
catch (Exception)
{
throw;
}
return(result);
}
/// <summary>
/// Builds a regular expression to validate the a given filename ends with a file extension in the provided (comma-delimited) list.
/// </summary>
/// <remarks>
/// A description of the regular expression: <c>.*\.(?:[Pp][Dd][Ff]|[Dd][Oo][Cc][Xx]|[Ee][Tt][Cc])$</c>
/// <c>.*\.</c>
/// Any character, any number of repetitions
/// Literal <c>.</c>
/// Match expression but don't capture it. <c>[Pp][Dd][Ff]|[Dd][Oo][Cc][Xx]|[Ee][Tt][Cc]</c>
/// Select from alternatives
/// <c>[Pp][Dd][Ff]</c>
/// Any character in this class: <c>[Pp]</c>
/// Any character in this class: <c>[Dd]</c>
/// Any character in this class: <c>[Ff]</c>
/// <c>[Dd][Oo][Cc][Xx]</c>
/// Any character in this class: <c>[Dd]</c>
/// Any character in this class: <c>[Oo]</c>
/// Any character in this class: <c>[Cc]</c>
/// Any character in this class: <c>[Xx]</c>
/// <c>[Ee][Tt][Cc]</c>
/// Any character in this class: <c>[Ee]</c>
/// Any character in this class: <c>[Tt]</c>
/// Any character in this class: <c>[Cc]</c>
/// End of line or string
/// </remarks>
/// <param name="fileExtensionsList">The comma-delimited list of acceptable file extensions.</param>
/// <returns>A regular expression which only matches filenames with a file extension in the given list</returns>
private static string BuildFileExtensionValidationExpression(FileExtensionWhitelist fileExtensionsList)
{
var caseInsensitiveExtensionRegularExpressions = fileExtensionsList.AllowedExtensions.Select(
ext => ext.Select(
ch => string.Format(
CultureInfo.InvariantCulture,
"[{0}{1}]",
char.ToUpperInvariant(ch),
char.ToLowerInvariant(ch))));
return(string.Format(
CultureInfo.InvariantCulture,
@".*\.(?:{0})$",
string.Join("|", caseInsensitiveExtensionRegularExpressions)));
}
public static bool IsFileValid(InstallFile file, string packageWhiteList)
{
//Check the White List
FileExtensionWhitelist whiteList = Host.AllowedExtensionWhitelist;
//Check the White Lists
string strExtension = file.Extension.ToLowerInvariant();
if ((strExtension == "dnn" || whiteList.IsAllowedExtension(strExtension) || packageWhiteList.Contains(strExtension) ||
(packageWhiteList.Contains("*dataprovider") && strExtension.EndsWith("dataprovider"))))
{
//Install File is Valid
return(true);
}
return(false);
}
/// <summary>
/// This function loops through every portal that has set its own AllowedExtensionWhitelist
/// and checks that there are no extensions there that are restriced by the host
///
/// The only time we should call this is if the host allowed extensions list has changed.
/// </summary>
/// <param name="newMasterList">Comma separated list of extensions that govern all users on this installation.</param>
public void CheckAllPortalFileExtensionWhitelists(string newMasterList)
{
var masterList = new FileExtensionWhitelist(newMasterList);
var portalSettings = Data.DataProvider.Instance().GetPortalSettingsBySetting("AllowedExtensionsWhitelist", null);
foreach (var portalId in portalSettings.Keys)
{
if (!string.IsNullOrEmpty(portalSettings[portalId]))
{
var portalExts = new FileExtensionWhitelist(portalSettings[portalId]);
var newValue = portalExts.RestrictBy(masterList).ToStorageString();
if (newValue != portalSettings[portalId])
{
PortalController.UpdatePortalSetting(portalId, "AllowedExtensionsWhitelist", newValue, false);
}
}
}
}
public HttpResponseMessage UpdateOtherSettings(UpdateOtherSettingsRequest request)
{
try
{
HostController.Instance.Update("ShowCriticalErrors", request.ShowCriticalErrors ? "Y" : "N", false);
HostController.Instance.Update("DebugMode", request.DebugMode ? "True" : "False", false);
HostController.Instance.Update("RememberCheckbox", request.RememberCheckbox ? "Y" : "N", false);
HostController.Instance.Update("AutoAccountUnlockDuration", request.AutoAccountUnlockDuration.ToString(), false);
HostController.Instance.Update("AsyncTimeout", request.AsyncTimeout.ToString(), false);
var oldExtensionList = Host.AllowedExtensionWhitelist.ToStorageString();
var fileExtensions = new FileExtensionWhitelist(request.AllowedExtensionWhitelist);
var newExtensionList = fileExtensions.ToStorageString();
HostController.Instance.Update("FileExtensions", newExtensionList, false);
if (oldExtensionList != newExtensionList)
{
PortalSecurity.Instance.CheckAllPortalFileExtensionWhitelists(newExtensionList);
}
var defaultEndUserExtensionWhitelist = new FileExtensionWhitelist(request.DefaultEndUserExtensionWhitelist);
defaultEndUserExtensionWhitelist = defaultEndUserExtensionWhitelist.RestrictBy(fileExtensions);
HostController.Instance.Update("DefaultEndUserExtensionWhitelist", defaultEndUserExtensionWhitelist.ToStorageString(), false);
var maxCurrentRequest = Config.GetMaxUploadSize();
var maxUploadByMb = request.MaxUploadSize * 1024 * 1024;
if (maxCurrentRequest != maxUploadByMb)
{
Config.SetMaxUploadSize(maxUploadByMb);
}
DataCache.ClearCache();
return(this.Request.CreateResponse(HttpStatusCode.OK, new { Success = true }));
}
catch (Exception exc)
{
Logger.Error(exc);
return(this.Request.CreateErrorResponse(HttpStatusCode.InternalServerError, exc));
}
}
