From 4333a9903f94a8d37842eed2be510310f36b6021 Mon Sep 17 00:00:00 2001
From: rockyhawk64 <rockyhawk99@gmail.com>
Date: Sat, 20 May 2023 15:50:32 +1000
Subject: [PATCH] 3.19.0.2

---
 resource/plugin.yml                           |  2 +-
 .../editor/CommandPanelsEditor.java           |  4 +++
 .../commandpanels/editor/PanelDownloader.java | 36 +++++++++++++++----
 3 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/resource/plugin.yml b/resource/plugin.yml
index 19dd61b..7f71288 100644
--- a/resource/plugin.yml
+++ b/resource/plugin.yml
@@ -1,4 +1,4 @@
-version: 3.19.0.1
+version: 3.19.0.2
 main: me.rockyhawk.commandpanels.CommandPanels
 name: CommandPanels
 author: RockyHawk
diff --git a/src/me/rockyhawk/commandpanels/editor/CommandPanelsEditor.java b/src/me/rockyhawk/commandpanels/editor/CommandPanelsEditor.java
index cc95de5..8172bf4 100644
--- a/src/me/rockyhawk/commandpanels/editor/CommandPanelsEditor.java
+++ b/src/me/rockyhawk/commandpanels/editor/CommandPanelsEditor.java
@@ -27,6 +27,10 @@ public class CommandPanelsEditor implements CommandExecutor {
     @EventHandler
     public boolean onCommand(CommandSender sender, Command cmd, String label, String[] args) {
         if (sender.hasPermission("commandpanel.edit")) {
+            if (!(sender instanceof Player)) {
+                sender.sendMessage(plugin.tex.colour(plugin.tag + ChatColor.RED + "Cannot execute command in Console!"));
+                return true;
+            }
             //editor website link
             if (args.length == 0) {
                 sender.sendMessage(plugin.tex.colour(plugin.tag + ChatColor.GREEN + "Access the web editor at the link below"));
diff --git a/src/me/rockyhawk/commandpanels/editor/PanelDownloader.java b/src/me/rockyhawk/commandpanels/editor/PanelDownloader.java
index a38a212..8ce83e1 100644
--- a/src/me/rockyhawk/commandpanels/editor/PanelDownloader.java
+++ b/src/me/rockyhawk/commandpanels/editor/PanelDownloader.java
@@ -4,11 +4,10 @@ import me.rockyhawk.commandpanels.CommandPanels;
 import org.bukkit.ChatColor;
 import org.bukkit.command.CommandSender;
 
-import java.io.BufferedInputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
+import java.io.*;
 import java.net.URL;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.logging.Level;
 
 public class PanelDownloader {
@@ -24,11 +23,35 @@ public class PanelDownloader {
             fileName = fileName + ".yml";
         }
 
+        //Check if fileName contains file://
+        try {
+            if(URLDecoder.decode(url, StandardCharsets.UTF_8.toString()).contains("file://")) {
+                sender.sendMessage(plugin.tag + ChatColor.RED + "Invalid URL. Using file:// is not supported.");
+                return;
+            }
+        } catch (UnsupportedEncodingException e) {
+            sender.sendMessage(plugin.tag + ChatColor.RED + "UTF-8 support not found.");
+            return;
+        }
+
+        // Create the file object and get its canonical path
+        File file = new File(plugin.panelsf, fileName);
+        try {
+            String canonicalPath = file.getCanonicalPath();
+            if (!canonicalPath.startsWith(plugin.panelsf.getCanonicalPath())) {
+                sender.sendMessage(plugin.tag + ChatColor.RED + "Invalid file name or URL.");
+                return;
+            }
+        } catch (IOException e) {
+            sender.sendMessage(plugin.tag + ChatColor.RED + "Invalid file name or URL.");
+            return;
+        }
+
         //download panel from page contents and add to plugin
         try {
             URL fileUrl = new URL(url);
             in = new BufferedInputStream(fileUrl.openStream());
-            fout = new FileOutputStream(new File(plugin.panelsf, fileName));
+            fout = new FileOutputStream(file);
             byte[] data = new byte[1024];
 
             int count;
@@ -54,8 +77,7 @@ public class PanelDownloader {
             } catch (IOException var20) {
                 this.plugin.getLogger().log(Level.SEVERE, null, var20);
             }
-
         }
-
     }
+
 }