3.19.0.2

2023-05-20 15:50:32 +10:00 · 2023-05-20 15:50:32 +10:00 · 4333a9903f
commit 4333a9903f
parent edc59529ed
3 changed files with 34 additions and 8 deletions
--- a/resource/plugin.yml
+++ b/resource/plugin.yml
@ -1,4 +1,4 @@
-version: 3.19.0.1
+version: 3.19.0.2
 main: me.rockyhawk.commandpanels.CommandPanels
 name: CommandPanels
 author: RockyHawk
--- a/src/me/rockyhawk/commandpanels/editor/CommandPanelsEditor.java
+++ b/src/me/rockyhawk/commandpanels/editor/CommandPanelsEditor.java
@ -27,6 +27,10 @@ public class CommandPanelsEditor implements CommandExecutor {
    @EventHandler
    public boolean onCommand(CommandSender sender, Command cmd, String label, String[] args) {
        if (sender.hasPermission("commandpanel.edit")) {
+            if (!(sender instanceof Player)) {
+                sender.sendMessage(plugin.tex.colour(plugin.tag + ChatColor.RED + "Cannot execute command in Console!"));
+                return true;
+            }
            //editor website link
            if (args.length == 0) {
                sender.sendMessage(plugin.tex.colour(plugin.tag + ChatColor.GREEN + "Access the web editor at the link below"));
--- a/src/me/rockyhawk/commandpanels/editor/PanelDownloader.java
+++ b/src/me/rockyhawk/commandpanels/editor/PanelDownloader.java
@ -4,11 +4,10 @@ import me.rockyhawk.commandpanels.CommandPanels;
 import org.bukkit.ChatColor;
 import org.bukkit.command.CommandSender;

-import java.io.BufferedInputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
+import java.io.*;
 import java.net.URL;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.logging.Level;

 public class PanelDownloader {
@ -24,11 +23,35 @@ public class PanelDownloader {
            fileName = fileName + ".yml";
        }

+        //Check if fileName contains file://
+        try {
+            if(URLDecoder.decode(url, StandardCharsets.UTF_8.toString()).contains("file://")) {
+                sender.sendMessage(plugin.tag + ChatColor.RED + "Invalid URL. Using file:// is not supported.");
+                return;
+            }
+        } catch (UnsupportedEncodingException e) {
+            sender.sendMessage(plugin.tag + ChatColor.RED + "UTF-8 support not found.");
+            return;
+        }
+
+        // Create the file object and get its canonical path
+        File file = new File(plugin.panelsf, fileName);
+        try {
+            String canonicalPath = file.getCanonicalPath();
+            if (!canonicalPath.startsWith(plugin.panelsf.getCanonicalPath())) {
+                sender.sendMessage(plugin.tag + ChatColor.RED + "Invalid file name or URL.");
+                return;
+            }
+        } catch (IOException e) {
+            sender.sendMessage(plugin.tag + ChatColor.RED + "Invalid file name or URL.");
+            return;
+        }
+
        //download panel from page contents and add to plugin
        try {
            URL fileUrl = new URL(url);
            in = new BufferedInputStream(fileUrl.openStream());
-            fout = new FileOutputStream(new File(plugin.panelsf, fileName));
+            fout = new FileOutputStream(file);
            byte[] data = new byte[1024];

            int count;
@ -54,8 +77,7 @@ public class PanelDownloader {
            } catch (IOException var20) {
                this.plugin.getLogger().log(Level.SEVERE, null, var20);
            }
-
        }
-
    }
+
 }