Restrict /dmarker file imports to {dynmap-directory}/import

DynmapCore/src/main/java/org/dynmap/DynmapCore.java

@@ -164,6 +164,7 @@ public class DynmapCore implements DynmapCommonAPI {
     private File dataDirectory;
     private File tilesDirectory;
     private File exportDirectory;
+    private File importDirectory;
     private String plugin_ver;
     private MapStorage defaultStorage;
     
@@ -224,6 +225,9 @@ public class DynmapCore implements DynmapCommonAPI {
     public final File getExportFolder() {
         return exportDirectory;
     }
+    public final File getImportFolder() {
+        return importDirectory;
+    }
     public void setMinecraftVersion(String mcver) {
         this.platformVersion = mcver;
     }
@@ -428,6 +432,11 @@ public class DynmapCore implements DynmapCommonAPI {
         if (!exportDirectory.isDirectory() && !exportDirectory.mkdirs()) {
             Log.warning("Could not create directory for exports ('" + exportDirectory + "').");
         }
+        // Prime the imports directory
+        importDirectory = getFile(configuration.getString("importpath", "import"));
+        if (!importDirectory.isDirectory() && !importDirectory.mkdirs()) {
+            Log.warning("Could not create directory for imports ('" + importDirectory + "').");
+        }
         // Create default storage handler
         String storetype = configuration.getString("storage/type", "filetree");
         if (storetype.equals("filetree")) {

DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java

@@ -2176,6 +2176,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
                 sender.sendMessage("file:\"filename\" required");
                 return true;
             }
+            if (!validateImportFile(file)) {
+                sender.sendMessage("Error: '" + ARG_FILE + "' cannot include directory separators - must be just filename in " + plugin.getImportFolder().getAbsolutePath() + " directory");
+                return true;
+            }
             if(label == null)
                 label = id;
             MarkerIcon ico = MarkerAPIImpl.getMarkerIconImpl(id);
@@ -2184,10 +2188,9 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
                 return true;
             }
             /* Open stream to filename */
-            File iconf = new File(file);
             FileInputStream fis = null;
             try {
-                fis = new FileInputStream(iconf);
+                fis = new FileInputStream(new File(plugin.getImportFolder(), file));
                 /* Create new icon */
                 MarkerIcon mi = api.createMarkerIcon(id, label, fis);
                 if(mi == null) {
@@ -3201,6 +3204,12 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
         }
         return true;
     }
+    private static boolean validateImportFile(String fname) {
+        if ((fname.indexOf('/') >= 0) || (fname.indexOf('\\') >= 0)) {
+        	return false;
+        }
+        return true;
+    }
     /** Process importdesc for given item */
     private static boolean processImportDesc(DynmapCore plugin, DynmapCommandSender sender, String cmd, String commandLabel, String[] args) {
         if(args.length > 1) {
@@ -3214,13 +3223,17 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
             }
             String f = parms.get(ARG_FILE);
             if (f == null) {
-                sender.sendMessage("Error: no '" + ARG_FILE + "' parameter");
+                sender.sendMessage("file:\"filename\" required");
+                return true;
+            }
+            if (!validateImportFile(f)) {
+                sender.sendMessage("Error: '" + ARG_FILE + "' cannot include directory separators - must be just filename in " + plugin.getImportFolder().getAbsolutePath() + " directory");
                 return true;
             }
             FileReader fr = null;
             String val = null;
             try {
-                fr = new FileReader(f);
+                fr = new FileReader(new File(plugin.getImportFolder(), f));
                 StringBuilder sb = new StringBuilder();
                 char[] buf = new char[512];
                 int len;
@@ -3261,13 +3274,17 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
             }
             String f = parms.get(ARG_FILE);
             if (f == null) {
-                sender.sendMessage("Error: no '" + ARG_FILE + "' parameter");
+                sender.sendMessage("file:\"filename\" required");
+                return true;
+            }
+            if (!validateImportFile(f)) {
+                sender.sendMessage("Error: '" + ARG_FILE + "' cannot include directory separators - must be just filename in " + plugin.getImportFolder().getAbsolutePath() + " directory");
                 return true;
             }
             FileReader fr = null;
             String val = null;
             try {
-                fr = new FileReader(f);
+                fr = new FileReader(new File(plugin.getImportFolder(), f));
                 StringBuilder sb = new StringBuilder();
                 char[] buf = new char[512];
                 int len;

bukkit-helper/.settings/org.eclipse.jdt.core.prefs

@@ -1,5 +1,5 @@
 #
-#Sat Sep 23 12:37:23 CDT 2023
+#Wed Sep 27 17:17:03 CDT 2023
 org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
 org.eclipse.jdt.core.compiler.problem.nullReference=warning
 eclipse.preferences.version=1

fabric-1.14.4/src/main/resources/configuration.txt

@@ -327,6 +327,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.15.2/src/main/resources/configuration.txt

@@ -327,6 +327,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.16.4/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.17.1/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.18.2/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.19.1/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.19.3/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.19.4/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.19/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.20.2/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

fabric-1.20/src/main/resources/configuration.txt

@@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.14.4/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.15.2/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.16.5/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.17.1/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.18.2/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.19.2/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.19.3/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.19/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.20.2/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

forge-1.20/src/main/resources/configuration.txt

@@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0

spigot/src/main/resources/configuration.txt

@@ -342,6 +342,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export
 
+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0