From 072ee52d8f3b661ecd487a89bd4117301b5f6b4b Mon Sep 17 00:00:00 2001
From: Matteo Tomasini <matteo.tomasini@threeplicate.com>
Date: Fri, 26 Mar 2010 08:59:27 +0000
Subject: [PATCH] Fixed attachment download problem.

---
 AssemblyVersion.cs           |  4 ++--
 Core/FilesStorageProvider.cs | 18 +++++++++++++++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/AssemblyVersion.cs b/AssemblyVersion.cs
index b32227f..b3b3c41 100644
--- a/AssemblyVersion.cs
+++ b/AssemblyVersion.cs
@@ -16,5 +16,5 @@ using System.Reflection;
 //
 // You can specify all the values or you can default the Revision and Build Numbers 
 // by using the '*' as shown below:
-[assembly: AssemblyVersion("3.0.2.516")]
-[assembly: AssemblyFileVersion("3.0.2.516")]
+[assembly: AssemblyVersion("3.0.2.517")]
+[assembly: AssemblyFileVersion("3.0.2.517")]
diff --git a/Core/FilesStorageProvider.cs b/Core/FilesStorageProvider.cs
index fc15a15..79a144c 100644
--- a/Core/FilesStorageProvider.cs
+++ b/Core/FilesStorageProvider.cs
@@ -94,6 +94,18 @@ namespace ScrewTurn.Wiki {
 			get { return false; }
 		}
 
+		/// <summary>
+		/// Checks the path.
+		/// </summary>
+		/// <param name="path">The path to be checked.</param>
+		/// <param name="begin">The expected beginning of the path.</param>
+		/// <exception cref="InvalidOperationException">If <paramref name="path"/> does not begin with <paramref name="begin"/> or contains "\.." or "..\".</exception>
+		private string CheckPath(string path, string begin) {
+			if(!path.StartsWith(begin) || path.Contains(Path.DirectorySeparatorChar + "..") || path.Contains(".." + Path.DirectorySeparatorChar))
+				throw new InvalidOperationException();
+			return path;
+		}
+
 		/// <summary>
 		/// Builds a full path from a provider-specific partial path.
 		/// </summary>
@@ -104,8 +116,8 @@ namespace ScrewTurn.Wiki {
 		private string BuildFullPath(string partialPath) {
 			if(partialPath == null) partialPath = "";
 			partialPath = partialPath.Replace("/", Path.DirectorySeparatorChar.ToString()).TrimStart(Path.DirectorySeparatorChar);
-			string up = Path.Combine(host.GetSettingValue(SettingName.PublicDirectory), UploadDirectory);
-			return Path.Combine(up, partialPath); // partialPath CANNOT start with "\" -> Path.Combine does not work
+			string up = Path.Combine(host.GetSettingValue(SettingName.PublicDirectory), UploadDirectory);			
+			return CheckPath(Path.Combine(up, partialPath), up); // partialPath CANNOT start with "\" -> Path.Combine does not work
 		}
 
 		/// <summary>
@@ -119,7 +131,7 @@ namespace ScrewTurn.Wiki {
 			if(partialPath == null) partialPath = "";
 			partialPath = partialPath.Replace("/", Path.DirectorySeparatorChar.ToString()).TrimStart(Path.DirectorySeparatorChar);
 			string up = Path.Combine(host.GetSettingValue(SettingName.PublicDirectory), AttachmentsDirectory);
-			return Path.Combine(up, partialPath); // partialPath CANNOT start with "\" -> Path.Combine does not work
+			return CheckPath(Path.Combine(up, partialPath), up); // partialPath CANNOT start with "\" -> Path.Combine does not work
 		}
 
 		/// <summary>