aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 14:04:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Harden file type inputs (#4635)

Browse Source
This commit is contained in:
Nicolas Dorier
2023-02-14 17:03:12 +09:00
committed by GitHub
parent 7ad91a76cd
commit fea27b900c
7 changed files with 252 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
BTCPayServer/Controllers/UIStoresController.cs
View File

@@ -27,6 +27,7 @@ using BTCPayServer.Services.Stores;
using BTCPayServer.Services.Wallets;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Rendering;
@@ -658,28 +659,41 @@ namespace BTCPayServer.Controllers
if (model.LogoFile != null)
{
if (model.LogoFile.ContentType.StartsWith("image/", StringComparison.InvariantCulture))
if (model.LogoFile.Length > 1_000_000)
{
// delete existing image
if (!string.IsNullOrEmpty(blob.LogoFileId))
{
await _fileService.RemoveFile(blob.LogoFileId, userId);
}
// add new image
try
{
var storedFile = await _fileService.AddFile(model.LogoFile, userId);
blob.LogoFileId = storedFile.Id;
}
catch (Exception e)
{
TempData[WellKnownTempData.ErrorMessage] = $"Could not save logo: {e.Message}";
}
TempData[WellKnownTempData.ErrorMessage] = "The uploaded logo file should be less than 1MB";
}
else if (!model.LogoFile.ContentType.StartsWith("image/", StringComparison.InvariantCulture))
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded logo file needs to be an image";
}
else
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded logo file needs to be an image";
var formFile = await model.LogoFile.Bufferize();
if (!FileTypeDetector.IsPicture(formFile.Buffer, formFile.FileName))
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded logo file needs to be an image";
}
else
{
model.LogoFile = formFile;
// delete existing image
if (!string.IsNullOrEmpty(blob.LogoFileId))
{
await _fileService.RemoveFile(blob.LogoFileId, userId);
}
// add new image
try
{
var storedFile = await _fileService.AddFile(model.LogoFile, userId);
blob.LogoFileId = storedFile.Id;
}
catch (Exception e)
{
TempData[WellKnownTempData.ErrorMessage] = $"Could not save logo: {e.Message}";
}
}
}
}
else if (RemoveLogoFile && !string.IsNullOrEmpty(blob.LogoFileId))
@@ -691,7 +705,19 @@ namespace BTCPayServer.Controllers
if (model.CssFile != null)
{
if (model.CssFile.ContentType.Equals("text/css", StringComparison.InvariantCulture))
if (model.CssFile.Length > 1_000_000)
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded file should be less than 1MB";
}
else if (!model.CssFile.ContentType.Equals("text/css", StringComparison.InvariantCulture))
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded file needs to be a CSS file";
}
else if (!model.CssFile.FileName.EndsWith(".css", StringComparison.OrdinalIgnoreCase))
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded file needs to be a CSS file";
}
else
{
// delete existing CSS file
if (!string.IsNullOrEmpty(blob.CssFileId))
@@ -710,10 +736,6 @@ namespace BTCPayServer.Controllers
TempData[WellKnownTempData.ErrorMessage] = $"Could not save CSS file: {e.Message}";
}
}
else
{
TempData[WellKnownTempData.ErrorMessage] = "The uploaded file needs to be a CSS file";
}
}
else if (RemoveCssFile && !string.IsNullOrEmpty(blob.CssFileId))
{