update server

rakasatria · May 15, 2022 · 94a2ac2 · 94a2ac2
1 parent f9ba4ef
commit 94a2ac2
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/AssemblyInfo.cs b/AssemblyInfo.cs
@@ -10,7 +10,7 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("www.ispyconnect.com")]
 [assembly: AssemblyProduct("iSpy")]
-[assembly: AssemblyCopyright("DeveloperInABox 2020")]
+[assembly: AssemblyCopyright("DeveloperInABox 2022")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]		
 
@@ -25,7 +25,7 @@
 // You can specify all the values or you can default the Revision and Build Numbers 
 // by using the '*' as shown below:
 
-[assembly: AssemblyVersion("7.2.2.0")]
+[assembly: AssemblyVersion("7.2.4.0")]
 
 //
 // In order to sign your assembly you must specify a key to use. Refer to the 
@@ -55,4 +55,4 @@
 [assembly: AssemblyDelaySign(false)]
 [assembly: AssemblyKeyFile("")]
 [assembly: AssemblyKeyName("")]
-[assembly: AssemblyFileVersion("7.2.2.0")]
+[assembly: AssemblyFileVersion("7.2.4.0")]
diff --git a/Server/LocalServer.cs b/Server/LocalServer.cs
@@ -1230,8 +1230,8 @@ private void ParseRequest(string sMyWebServerRoot, string sBuffer, out string sR
             ParseMimeType(sRequestedFile, out sFileName, out sMimeType);
 
             sPhysicalFilePath = (sLocalDir + sRequestedFile).Replace("%20", " ").ToLower();
-
-            var bHasAuth = sPhysicalFilePath.EndsWith("crossdomain.xml") || CheckAuth(sPhysicalFilePath);
+            bool bHasAuth = sPhysicalFilePath == sLocalDir.ToLower() + "crossdomain.xml";
+            bHasAuth = bHasAuth || CheckAuth(sPhysicalFilePath);
 
 
             bServe = (sMimeType != "") && (bServe || (bHasAuth && bHasReferer));
@@ -1810,6 +1810,10 @@ private string DoCommand(string sRequest, int otid, string resp, string cmd, int
                     {
                         try
                         {
+                            if (fn.Contains("../"))
+                            {
+                                throw new Exception("Request blocked (directory traversal)");
+                            }
                             string subdir = Helper.GetDirectory(otid, oid);
                             string filename = Helper.GetMediaDirectory(otid, oid);
                             switch (otid)