Orchard icon indicating copy to clipboard operation
Orchard copied to clipboard

Published 20 hours ago verified publisher icon OrchardCMS

FileSystemStorageProvider shouldn't allow creating folders with "&" in their name

Open HermesSbicego-Laser opened this issue 7 years ago • 5 comments

The "&" in the name of a MediaLibrary folder creates an error when the Media Url is requested. repro steps

  • Create a folder POI&Events in Media Library
  • Upload an image
  • request the image URL you will obtain an error

2 possible solutions:

  1. prevent folder creation when the "&" is present
  2. encode the "&" as %26 (as done for spaces " " > %20)

HermesSbicego-Laser avatar Feb 14 '17 13:02 HermesSbicego-Laser

I am working on this, and I found the "&" character in folder names, as is, has another (lesser) issue:

I am checking the files in the "POI&Events" folder at the URL: https://localhost/Laser.Orchard/NoLaser/Admin/Orchard.MediaLibrary?folderPath=POI&Events I hit refresh. I find myself at the URL: https://localhost/Laser.Orchard/NoLaser/Admin/Orchard.MediaLibrary?folderPath=POI

In my case I have no folder there, but this may become an issue if I did.

MatteoPiovanelli-Laser avatar Feb 15 '17 10:02 MatteoPiovanelli-Laser

Even replacing the "&" with "%26" when generating the MediaUrl there is an error attemtping to access resources there. Something like (the text may not be accurate because my system is in Italian):

System.Web.HttpException: Potentially dangerous Request.Path value detected by client (&).

Stack Trace:
[HttpException (0x80004005): Valore potenzialmente pericoloso Request.Path rilevato dal client (&).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +11999147
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +55

That leads me to think that the correct solution would be preventing folder names to contain the charater at all.

MatteoPiovanelli-Laser avatar Feb 15 '17 11:02 MatteoPiovanelli-Laser

I assume this is the case with every char that is not allowed by this filter: < > * % & : \ ?

sebastienros avatar Feb 15 '17 16:02 sebastienros

By testing, without digging through the code, I found that a few of those are actually handled already:

Symbol Behaviour TODO
< Edit/Create: Exception when hitting save. yes
> Edit/Create: Validation error. no
* Edit/Create: Validation error. no
% Edit/Create: Pass. The character is encoded as '%25' in the URL of MediaLibrary actions, but not in the calls to get the media URLS. As is, those give "Bad Request - Invalid URL"; encoding the symbol give the HttpException. yes
: Edit/Create: Validation error. no
\ / Create: Creates folder and subfolder. Edit: DirectoryNotFoundException, or it moves the folder. yes
? Edit/Create: Validation error. no

Only three of those need handling, after all.

MatteoPiovanelli-Laser avatar Feb 16 '17 07:02 MatteoPiovanelli-Laser

See updates to #7577

MatteoPiovanelli-Laser avatar Feb 16 '17 13:02 MatteoPiovanelli-Laser

Fixed in #6792.

BenedekFarkas avatar May 14 '24 17:05 BenedekFarkas