search

dnnsoftware / Dnn.Platform

DNN (formerly DotNetNuke) is the leading open source web content management platform (CMS) in the Microsoft ecosystem.
https://dnncommunity.org/
MIT License
1.02k stars 751 forks source link

Unhandled exception when iconFile has ampersand #3106

Open bdukes opened 5 years ago

bdukes commented 5 years ago

Description of bug

I tried to use a URL with a query string for the iconFile of an extension, and got an error.

Steps to reproduce

  1. Produce a package where the iconFile is a URL, e.g. ampersand-icon-demo.zip
  2. Go to Extensions in Persona Bar
  3. Upload the extension

Current result

An error screen without any details

Expected result

A clear error, or the ability to use a URL for an icon file

Screenshots

error image

error "details"

Error log

17:00:51.077-06:00 [etg63][D:4][T:11][FATAL] DotNetNuke.Web.Common.Internal.DotNetNukeHttpApplication - System.ArgumentException: Illegal characters in path. at System.Security.Permissions.FileIOPermission.CheckIllegalCharacters(String[] str, Boolean onlyCheckExtras) at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList) at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path) at System.Web.InternalSecurityPermissions.PathDiscovery(String path) at System.Web.HttpRequest.MapPath(VirtualPath virtualPath, VirtualPath baseVirtualDir, Boolean allowCrossAppMapping) at System.Web.HttpServerUtility.MapPath(String path) at Dnn.PersonaBar.Extensions.Components.ExtensionsController.IconExists(String imagePath) at Dnn.PersonaBar.Extensions.Components.ExtensionsController.GetPackageIcon(PackageInfo package) at Dnn.PersonaBar.Extensions.Components.Dto.PackageInfoDto..ctor(Int32 portalId, PackageInfo package) at Dnn.PersonaBar.Extensions.Components.InstallController.ParsePackage(PortalSettings portalSettings, UserInfo user, String filePath, Stream stream) at Dnn.PersonaBar.Extensions.Services.ExtensionsController.<>c__DisplayClass40_1.b__1(Object ) at System.Web.Util.SynchronizationHelper.SafeWrapCallback(Action action)

Additional context

When there is any sort of error while reading a package (including expected "errors", such as an unmet dependency), the details of the error are not provided or even added to the Event Log. This requires watching the network traffic or viewing the log4net log file to find the source of the issue.

Affected version

mvanlaar commented 5 years ago

I've seen IIS block access to files with & in the file names. So i don't know if it's a bug of dnn, filesystem or iis.

valadas commented 5 years ago

At the bare minimum, we need to improve the error messages, moving this issue to AdminExperience