FileSystemHandler: Return 403 Forbidden if path contains an escaped slash or backslash character

Timwi · Timwi · commit ed39a8438010 · 2026-04-12T18:04:26.000+02:00
diff --git a/Src/FileSystemHandler.cs b/Src/FileSystemHandler.cs
@@ -152,7 +152,7 @@ void processConfig()
             string piece = null;
             try { piece = urlPieces[i].UrlUnescape(); }
             catch (ArgumentException) { throw new HttpException(HttpStatusCode._400_BadRequest, userMessage: "The URL escaping format is not valid."); }
-            if (piece == "..")
+            if (piece == ".." || piece.Contains('/') || piece.Contains('\\'))
                 throw new HttpException(HttpStatusCode._403_Forbidden);
 
             foreach (var suitablePiece in getCandidates(piece))
diff --git a/Src/RT.Servers.csproj b/Src/RT.Servers.csproj
@@ -24,13 +24,13 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(Configuration)' != 'Debug-locallibs'">
-    <PackageReference Include="RT.Json" version="2.0.1826" />
-    <PackageReference Include="RT.PostBuild" version="2.0.1826" />
-    <PackageReference Include="RT.Serialization" version="2.0.1826" />
-    <PackageReference Include="RT.Serialization.Json" version="2.0.1826" />
-    <PackageReference Include="RT.Serialization.Xml" version="2.0.1826" />
+    <PackageReference Include="RT.Json" version="2.0.1827" />
+    <PackageReference Include="RT.PostBuild" version="2.0.1827" />
+    <PackageReference Include="RT.Serialization" version="2.0.1827" />
+    <PackageReference Include="RT.Serialization.Json" version="2.0.1827" />
+    <PackageReference Include="RT.Serialization.Xml" version="2.0.1827" />
     <PackageReference Include="RT.TagSoup" version="1.1.52" />
-    <PackageReference Include="RT.Util.Core" version="2.0.1826" />
+    <PackageReference Include="RT.Util.Core" version="2.0.1827" />
   </ItemGroup>
 
   <ItemGroup>
