private void FillImageInfo(Stream fileStream, ref Services.FileSystem.FileInfo fileInfo) { var imageExtensions = new FileExtensionWhitelist(Common.Globals.glbImageFileTypes); if (imageExtensions.IsAllowedExtension(fileInfo.Extension)) { System.Drawing.Image img = null; try { img = System.Drawing.Image.FromStream(fileStream); fileInfo.Size = fileStream.Length > int.MaxValue ? int.MaxValue : int.Parse(fileStream.Length.ToString(CultureInfo.InvariantCulture)); fileInfo.Width = img.Width; fileInfo.Height = img.Height; } catch { // error loading image file fileInfo.ContentType = "application/octet-stream"; } finally { if (img != null) { img.Dispose(); } } } }
public CheckResult Execute() { var result = new CheckResult(SeverityEnum.Unverified, Id); var allowedExtensions = new FileExtensionWhitelist(HostController.Instance.GetString("FileExtensions")); try { if (allowedExtensions.IsAllowedExtension("asp") || allowedExtensions.IsAllowedExtension("aspx") || allowedExtensions.IsAllowedExtension("php")) { result.Severity = SeverityEnum.Failure; result.Notes.Add("Extensions: " + allowedExtensions.ToDisplayString()); } else { result.Severity = SeverityEnum.Pass; } } catch (Exception) { throw; } return(result); }
/// <summary> /// Builds a regular expression to validate the a given filename ends with a file extension in the provided (comma-delimited) list. /// </summary> /// <remarks> /// A description of the regular expression: <c>.*\.(?:[Pp][Dd][Ff]|[Dd][Oo][Cc][Xx]|[Ee][Tt][Cc])$</c> /// <c>.*\.</c> /// Any character, any number of repetitions /// Literal <c>.</c> /// Match expression but don't capture it. <c>[Pp][Dd][Ff]|[Dd][Oo][Cc][Xx]|[Ee][Tt][Cc]</c> /// Select from alternatives /// <c>[Pp][Dd][Ff]</c> /// Any character in this class: <c>[Pp]</c> /// Any character in this class: <c>[Dd]</c> /// Any character in this class: <c>[Ff]</c> /// <c>[Dd][Oo][Cc][Xx]</c> /// Any character in this class: <c>[Dd]</c> /// Any character in this class: <c>[Oo]</c> /// Any character in this class: <c>[Cc]</c> /// Any character in this class: <c>[Xx]</c> /// <c>[Ee][Tt][Cc]</c> /// Any character in this class: <c>[Ee]</c> /// Any character in this class: <c>[Tt]</c> /// Any character in this class: <c>[Cc]</c> /// End of line or string /// </remarks> /// <param name="fileExtensionsList">The comma-delimited list of acceptable file extensions.</param> /// <returns>A regular expression which only matches filenames with a file extension in the given list</returns> private static string BuildFileExtensionValidationExpression(FileExtensionWhitelist fileExtensionsList) { var caseInsensitiveExtensionRegularExpressions = fileExtensionsList.AllowedExtensions.Select( ext => ext.Select( ch => string.Format( CultureInfo.InvariantCulture, "[{0}{1}]", char.ToUpperInvariant(ch), char.ToLowerInvariant(ch)))); return(string.Format( CultureInfo.InvariantCulture, @".*\.(?:{0})$", string.Join("|", caseInsensitiveExtensionRegularExpressions))); }
public static bool IsFileValid(InstallFile file, string packageWhiteList) { //Check the White List FileExtensionWhitelist whiteList = Host.AllowedExtensionWhitelist; //Check the White Lists string strExtension = file.Extension.ToLowerInvariant(); if ((strExtension == "dnn" || whiteList.IsAllowedExtension(strExtension) || packageWhiteList.Contains(strExtension) || (packageWhiteList.Contains("*dataprovider") && strExtension.EndsWith("dataprovider")))) { //Install File is Valid return(true); } return(false); }
/// <summary> /// This function loops through every portal that has set its own AllowedExtensionWhitelist /// and checks that there are no extensions there that are restriced by the host /// /// The only time we should call this is if the host allowed extensions list has changed. /// </summary> /// <param name="newMasterList">Comma separated list of extensions that govern all users on this installation.</param> public void CheckAllPortalFileExtensionWhitelists(string newMasterList) { var masterList = new FileExtensionWhitelist(newMasterList); var portalSettings = Data.DataProvider.Instance().GetPortalSettingsBySetting("AllowedExtensionsWhitelist", null); foreach (var portalId in portalSettings.Keys) { if (!string.IsNullOrEmpty(portalSettings[portalId])) { var portalExts = new FileExtensionWhitelist(portalSettings[portalId]); var newValue = portalExts.RestrictBy(masterList).ToStorageString(); if (newValue != portalSettings[portalId]) { PortalController.UpdatePortalSetting(portalId, "AllowedExtensionsWhitelist", newValue, false); } } } }
public HttpResponseMessage UpdateOtherSettings(UpdateOtherSettingsRequest request) { try { HostController.Instance.Update("ShowCriticalErrors", request.ShowCriticalErrors ? "Y" : "N", false); HostController.Instance.Update("DebugMode", request.DebugMode ? "True" : "False", false); HostController.Instance.Update("RememberCheckbox", request.RememberCheckbox ? "Y" : "N", false); HostController.Instance.Update("AutoAccountUnlockDuration", request.AutoAccountUnlockDuration.ToString(), false); HostController.Instance.Update("AsyncTimeout", request.AsyncTimeout.ToString(), false); var oldExtensionList = Host.AllowedExtensionWhitelist.ToStorageString(); var fileExtensions = new FileExtensionWhitelist(request.AllowedExtensionWhitelist); var newExtensionList = fileExtensions.ToStorageString(); HostController.Instance.Update("FileExtensions", newExtensionList, false); if (oldExtensionList != newExtensionList) { PortalSecurity.Instance.CheckAllPortalFileExtensionWhitelists(newExtensionList); } var defaultEndUserExtensionWhitelist = new FileExtensionWhitelist(request.DefaultEndUserExtensionWhitelist); defaultEndUserExtensionWhitelist = defaultEndUserExtensionWhitelist.RestrictBy(fileExtensions); HostController.Instance.Update("DefaultEndUserExtensionWhitelist", defaultEndUserExtensionWhitelist.ToStorageString(), false); var maxCurrentRequest = Config.GetMaxUploadSize(); var maxUploadByMb = request.MaxUploadSize * 1024 * 1024; if (maxCurrentRequest != maxUploadByMb) { Config.SetMaxUploadSize(maxUploadByMb); } DataCache.ClearCache(); return(this.Request.CreateResponse(HttpStatusCode.OK, new { Success = true })); } catch (Exception exc) { Logger.Error(exc); return(this.Request.CreateErrorResponse(HttpStatusCode.InternalServerError, exc)); } }