Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FileSystemStorageProvider shouldn't allow creating folders with "&" in their name #7572

Closed
HermesSbicego-Laser opened this issue Feb 14, 2017 · 6 comments
Closed

FileSystemStorageProvider shouldn't allow creating folders with "&" in their name #7572

HermesSbicego-Laser opened this issue Feb 14, 2017 · 6 comments
Milestone
1.10.x

Comments

@HermesSbicego-Laser
Copy link
Contributor

The "&" in the name of a MediaLibrary folder creates an error when the Media Url is requested.
repro steps

  • Create a folder POI&Events in Media Library
  • Upload an image
  • request the image URL
    you will obtain an error

2 possible solutions:

  1. prevent folder creation when the "&" is present
  2. encode the "&" as %26 (as done for spaces " " > %20)
@MatteoPiovanelli-Laser
Copy link
Contributor

I am working on this, and I found the "&" character in folder names, as is, has another (lesser) issue:

I am checking the files in the "POI&Events" folder at the URL:
https://localhost/Laser.Orchard/NoLaser/Admin/Orchard.MediaLibrary?folderPath=POI&Events
I hit refresh. I find myself at the URL:
https://localhost/Laser.Orchard/NoLaser/Admin/Orchard.MediaLibrary?folderPath=POI

In my case I have no folder there, but this may become an issue if I did.

@MatteoPiovanelli-Laser
Copy link
Contributor

Even replacing the "&" with "%26" when generating the MediaUrl there is an error attemtping to access resources there. Something like (the text may not be accurate because my system is in Italian):

System.Web.HttpException: Potentially dangerous Request.Path value detected by client (&).

Stack Trace:
[HttpException (0x80004005): Valore potenzialmente pericoloso Request.Path rilevato dal client (&).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +11999147
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +55

That leads me to think that the correct solution would be preventing folder names to contain the charater at all.

Closed
@sebastienros
Copy link
Member

I assume this is the case with every char that is not allowed by this filter:
< > * % & : \ ?

@MatteoPiovanelli-Laser
Copy link
Contributor

MatteoPiovanelli-Laser commented Feb 16, 2017
edited
Loading

By testing, without digging through the code, I found that a few of those are actually handled already:

Symbol Behaviour TODO
< Edit/Create: Exception when hitting save. yes
> Edit/Create: Validation error. no
* Edit/Create: Validation error. no
% Edit/Create: Pass. The character is encoded as '%25' in the URL of MediaLibrary actions, but not in the calls to get the media URLS. As is, those give "Bad Request - Invalid URL"; encoding the symbol give the HttpException. yes
: Edit/Create: Validation error. no
\ / Create: Creates folder and subfolder. Edit: DirectoryNotFoundException, or it moves the folder. yes
? Edit/Create: Validation error. no

Only three of those need handling, after all.

@MatteoPiovanelli-Laser
Copy link
Contributor

See updates to #7577

@sebastienros sebastienros added this to the Orchard 1.10.x milestone Feb 16, 2017
@BenedekFarkas BenedekFarkas changed the title FileSystemStorageProvider permit to create folders with "&" FileSystemStorageProvider shouldn't allow creating folders with "&" in their name Apr 8, 2024
@BenedekFarkas
Copy link
Member

Fixed in #6792.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10.x
Development

No branches or pull requests
4 participants
@sebastienros @BenedekFarkas @HermesSbicego-Laser @MatteoPiovanelli-Laser