Better validate file names

2025-12-17 22:14:26 +01:00 · 2021-03-19 18:55:07 +09:00
parent fc78eacf8f
commit 73d70aa5e5
7 changed files with 39 additions and 2 deletions
--- a/BTCPayServer/Controllers/ServerController.Plugins.cs
+++ b/BTCPayServer/Controllers/ServerController.Plugins.cs
@@ -117,7 +117,7 @@ namespace BTCPayServer.Controllers
        public async Task<IActionResult> UploadPlugin([FromServices] PluginService pluginService,
            List<IFormFile> files)
        {
-            foreach (var formFile in files.Where(file => file.Length > 0))
+            foreach (var formFile in files.Where(file => file.Length > 0).Where(file => file.FileName.IsValidFileName()))
            {
                await pluginService.UploadPlugin(formFile);
                pluginService.InstallPlugin(formFile.FileName.TrimEnd(PluginManager.BTCPayPluginSuffix,