Trying to upload a filename `my filename..jpg` results in error: "Invalid file or folder name"
But this is a valid filename.
Firstly - does CKFinder have a bug tracker or is this forum the only way of reporting bugs?
Secondly, to fix -
I'm assuming that checking for two dots is a security thing to prevent accessing the parent directory (but I'm no security expert!) So instead of checking for the presence of two dots anywhere in the filename, I'm only concerned if two dots appear next to a directory separator (in this case backslash on a windows server)
So, I modified Connector.cs [line 235]
It would be great if someone from the CK team could verify that this change is safe from a security point of view, and merge into the next release.
Thanks,
Barry.
But this is a valid filename.
Firstly - does CKFinder have a bug tracker or is this forum the only way of reporting bugs?
Secondly, to fix -
I'm assuming that checking for two dots is a security thing to prevent accessing the parent directory (but I'm no security expert!) So instead of checking for the presence of two dots anywhere in the filename, I'm only concerned if two dots appear next to a directory separator (in this case backslash on a windows server)
So, I modified Connector.cs [line 235]
- if ( fileName == null || fileName.Length == 0 || fileName.StartsWith( "." ) || fileName.EndsWith( "." ) || fileName.Contains( ".." ) + if ( fileName == null || fileName.Length == 0 || fileName.StartsWith( "." ) || fileName.EndsWith( "." ) || fileName.Contains( "\\.." ) || fileName.Contains( "..\\" ) )
It would be great if someone from the CK team could verify that this change is safe from a security point of view, and merge into the next release.
Thanks,
Barry.