Closed Kukks closed 5 years ago
This looks great. Thanks!
No problem, will you do a release soon since this is a bit of vulnerability?
Just pushed as 2.11.1. Should be indexed by Nuget shortly
Awesome, thanks!
IMHO, this fix is fragile code. The proper way to fix it is to use Path.Combine
and then verify on the full path that the path start with dir
AFTER the concat with the blobName.
There is no need of regex, the regex part is complicated to read, maybe not right (are you sure this is the only way on all plateforms to prevent this type of attack?) and time consuming.
Also limit the blob name to ASCII alphabet...
Sorry, talked with Kukks and the check is correctly done. Though the regex is useless and wrong. (matching the first char which is ASCII)
@NicolasDorier Feel free to submit a cleanup or better solution. Thanks
@NicolasDorier and @Kukks a new version 2.11.2 is on its way to Nuget that removes the Regex check, because you are right, it is not needed.
Email me at evilkukka@gmail.com for more info