douglasheld
commented
8 years ago The same goes for TLSClient.cs, line 76. Same goes for TLSServer.cs, line 72.
I would recommend to make a common "getValidCommandlineInputFile()" or "isValidCommandlineInputFile()" function to use in all of these circumstances.
In Main.cs, lines 224/225 two input strings are trimmed but they are not forced to comply with safe or expected input arguments. The effect of this is that a user could abuse the software to open or overwrite a file on the filesystem that they otherwise may not have had access to; or, the possibility lies open to crash/hang the program by sending named pipe designations or special filenames such as COM1, PRN etc.
The general approach should be to first convert the string to a canonical form using the .NET Framework standard file utilities; and then to check attributes of the file (such as its size, location or name extension) before handling off the value to the StreamReader class.