Orchard
Orchard copied to clipboard
FileSystemStorageProvider shouldn't allow creating folders with "&" in their name
The "&" in the name of a MediaLibrary folder creates an error when the Media Url is requested. repro steps
- Create a folder POI&Events in Media Library
- Upload an image
- request the image URL you will obtain an error
2 possible solutions:
- prevent folder creation when the "&" is present
- encode the "&" as %26 (as done for spaces " " > %20)
I am working on this, and I found the "&" character in folder names, as is, has another (lesser) issue:
I am checking the files in the "POI&Events" folder at the URL: https://localhost/Laser.Orchard/NoLaser/Admin/Orchard.MediaLibrary?folderPath=POI&Events I hit refresh. I find myself at the URL: https://localhost/Laser.Orchard/NoLaser/Admin/Orchard.MediaLibrary?folderPath=POI
In my case I have no folder there, but this may become an issue if I did.
Even replacing the "&" with "%26" when generating the MediaUrl there is an error attemtping to access resources there. Something like (the text may not be accurate because my system is in Italian):
System.Web.HttpException: Potentially dangerous Request.Path value detected by client (&).
Stack Trace:
[HttpException (0x80004005): Valore potenzialmente pericoloso Request.Path rilevato dal client (&).]
System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +11999147
System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +55
That leads me to think that the correct solution would be preventing folder names to contain the charater at all.
I assume this is the case with every char that is not allowed by this filter: < > * % & : \ ?
By testing, without digging through the code, I found that a few of those are actually handled already:
Symbol | Behaviour | TODO |
---|---|---|
< | Edit/Create: Exception when hitting save. | yes |
> | Edit/Create: Validation error. | no |
* | Edit/Create: Validation error. | no |
% | Edit/Create: Pass. The character is encoded as '%25' in the URL of MediaLibrary actions, but not in the calls to get the media URLS. As is, those give "Bad Request - Invalid URL"; encoding the symbol give the HttpException. | yes |
: | Edit/Create: Validation error. | no |
\ / | Create: Creates folder and subfolder. Edit: DirectoryNotFoundException, or it moves the folder. | yes |
? | Edit/Create: Validation error. | no |
Only three of those need handling, after all.
See updates to #7577
Fixed in #6792.