Restrict /dmarker file imports to {dynmap-directory}/import

2024-11-23 18:55:14 +01:00 · 2023-09-27 21:35:40 -05:00 · 2023-09-27 21:35:40 -05:00 · c807861859
commit c807861859
parent 65cca049ac
25 changed files with 99 additions and 7 deletions
--- a/DynmapCore/src/main/java/org/dynmap/DynmapCore.java
+++ b/DynmapCore/src/main/java/org/dynmap/DynmapCore.java
@ -164,6 +164,7 @@ public class DynmapCore implements DynmapCommonAPI {
    private File dataDirectory;
    private File tilesDirectory;
    private File exportDirectory;
+    private File importDirectory;
    private String plugin_ver;
    private MapStorage defaultStorage;
    
@ -224,6 +225,9 @@ public class DynmapCore implements DynmapCommonAPI {
    public final File getExportFolder() {
        return exportDirectory;
    }
+    public final File getImportFolder() {
+        return importDirectory;
+    }
    public void setMinecraftVersion(String mcver) {
        this.platformVersion = mcver;
    }
@ -428,6 +432,11 @@ public class DynmapCore implements DynmapCommonAPI {
        if (!exportDirectory.isDirectory() && !exportDirectory.mkdirs()) {
            Log.warning("Could not create directory for exports ('" + exportDirectory + "').");
        }
+        // Prime the imports directory
+        importDirectory = getFile(configuration.getString("importpath", "import"));
+        if (!importDirectory.isDirectory() && !importDirectory.mkdirs()) {
+            Log.warning("Could not create directory for imports ('" + importDirectory + "').");
+        }
        // Create default storage handler
        String storetype = configuration.getString("storage/type", "filetree");
        if (storetype.equals("filetree")) {
--- a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java
+++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java
@ -2176,6 +2176,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
                sender.sendMessage("file:\"filename\" required");
                return true;
            }
+            if (!validateImportFile(file)) {
+                sender.sendMessage("Error: '" + ARG_FILE + "' cannot include directory separators - must be just filename in " + plugin.getImportFolder().getAbsolutePath() + " directory");
+                return true;
+            }
            if(label == null)
                label = id;
            MarkerIcon ico = MarkerAPIImpl.getMarkerIconImpl(id);
@ -2184,10 +2188,9 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
                return true;
            }
            /* Open stream to filename */
-            File iconf = new File(file);
            FileInputStream fis = null;
            try {
-                fis = new FileInputStream(iconf);
+                fis = new FileInputStream(new File(plugin.getImportFolder(), file));
                /* Create new icon */
                MarkerIcon mi = api.createMarkerIcon(id, label, fis);
                if(mi == null) {
@ -3201,6 +3204,12 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
        }
        return true;
    }
+    private static boolean validateImportFile(String fname) {
+        if ((fname.indexOf('/') >= 0) || (fname.indexOf('\\') >= 0)) {
+        	return false;
+        }
+        return true;
+    }
    /** Process importdesc for given item */
    private static boolean processImportDesc(DynmapCore plugin, DynmapCommandSender sender, String cmd, String commandLabel, String[] args) {
        if(args.length > 1) {
@ -3214,13 +3223,17 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
            }
            String f = parms.get(ARG_FILE);
            if (f == null) {
-                sender.sendMessage("Error: no '" + ARG_FILE + "' parameter");
+                sender.sendMessage("file:\"filename\" required");
+                return true;
+            }
+            if (!validateImportFile(f)) {
+                sender.sendMessage("Error: '" + ARG_FILE + "' cannot include directory separators - must be just filename in " + plugin.getImportFolder().getAbsolutePath() + " directory");
                return true;
            }
            FileReader fr = null;
            String val = null;
            try {
-                fr = new FileReader(f);
+                fr = new FileReader(new File(plugin.getImportFolder(), f));
                StringBuilder sb = new StringBuilder();
                char[] buf = new char[512];
                int len;
@ -3261,13 +3274,17 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener<DynmapWorld> {
            }
            String f = parms.get(ARG_FILE);
            if (f == null) {
-                sender.sendMessage("Error: no '" + ARG_FILE + "' parameter");
+                sender.sendMessage("file:\"filename\" required");
+                return true;
+            }
+            if (!validateImportFile(f)) {
+                sender.sendMessage("Error: '" + ARG_FILE + "' cannot include directory separators - must be just filename in " + plugin.getImportFolder().getAbsolutePath() + " directory");
                return true;
            }
            FileReader fr = null;
            String val = null;
            try {
-                fr = new FileReader(f);
+                fr = new FileReader(new File(plugin.getImportFolder(), f));
                StringBuilder sb = new StringBuilder();
                char[] buf = new char[512];
                int len;
--- a/bukkit-helper/.settings/org.eclipse.jdt.core.prefs
+++ b/bukkit-helper/.settings/org.eclipse.jdt.core.prefs
@ -1,5 +1,5 @@
 #
-#Sat Sep 23 12:37:23 CDT 2023
+#Wed Sep 27 17:17:03 CDT 2023
 org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
 org.eclipse.jdt.core.compiler.problem.nullReference=warning
 eclipse.preferences.version=1
--- a/fabric-1.14.4/src/main/resources/configuration.txt
+++ b/fabric-1.14.4/src/main/resources/configuration.txt
@ -327,6 +327,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.15.2/src/main/resources/configuration.txt
+++ b/fabric-1.15.2/src/main/resources/configuration.txt
@ -327,6 +327,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.16.4/src/main/resources/configuration.txt
+++ b/fabric-1.16.4/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.17.1/src/main/resources/configuration.txt
+++ b/fabric-1.17.1/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.18.2/src/main/resources/configuration.txt
+++ b/fabric-1.18.2/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.19.1/src/main/resources/configuration.txt
+++ b/fabric-1.19.1/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.19.3/src/main/resources/configuration.txt
+++ b/fabric-1.19.3/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.19.4/src/main/resources/configuration.txt
+++ b/fabric-1.19.4/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.19/src/main/resources/configuration.txt
+++ b/fabric-1.19/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.20.2/src/main/resources/configuration.txt
+++ b/fabric-1.20.2/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/fabric-1.20/src/main/resources/configuration.txt
+++ b/fabric-1.20/src/main/resources/configuration.txt
@ -333,6 +333,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.14.4/src/main/resources/configuration.txt
+++ b/forge-1.14.4/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.15.2/src/main/resources/configuration.txt
+++ b/forge-1.15.2/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.16.5/src/main/resources/configuration.txt
+++ b/forge-1.16.5/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.17.1/src/main/resources/configuration.txt
+++ b/forge-1.17.1/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.18.2/src/main/resources/configuration.txt
+++ b/forge-1.18.2/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.19.2/src/main/resources/configuration.txt
+++ b/forge-1.19.2/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.19.3/src/main/resources/configuration.txt
+++ b/forge-1.19.3/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.19/src/main/resources/configuration.txt
+++ b/forge-1.19/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.20.2/src/main/resources/configuration.txt
+++ b/forge-1.20.2/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/forge-1.20/src/main/resources/configuration.txt
+++ b/forge-1.20/src/main/resources/configuration.txt
@ -335,6 +335,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0
--- a/spigot/src/main/resources/configuration.txt
+++ b/spigot/src/main/resources/configuration.txt
@ -342,6 +342,9 @@ update-webpath-files: true
 # The path were the /dynmapexp command exports OBJ ZIP files
 exportpath: export

+# The path where files can be imported for /dmarker commands
+importpath: import
+
 # The network-interface the webserver will bind to (0.0.0.0 for all interfaces, 127.0.0.1 for only local access).
 # If not set, uses same setting as server in server.properties (or 0.0.0.0 if not specified)
 #webserver-bindaddress: 0.0.0.0