diff --git a/src/Serenity.Net.Core/ComponentModel/Upload/IUploadFileConstraints.cs b/src/Serenity.Net.Core/ComponentModel/Upload/IUploadFileConstraints.cs index 9c32dcf2ad..ddf147fbb5 100644 --- a/src/Serenity.Net.Core/ComponentModel/Upload/IUploadFileConstraints.cs +++ b/src/Serenity.Net.Core/ComponentModel/Upload/IUploadFileConstraints.cs @@ -1,4 +1,4 @@ -namespace Serenity.ComponentModel; +namespace Serenity.ComponentModel; /// /// Constraints of the uploaded file size. @@ -21,7 +21,7 @@ public interface IUploadFileConstraints : IUploadOptions /// /// Contains extensions that are considered dangerous / disallowed. - /// Default is ".asax;.compiled;.ascx;.asmx;.aspx;.bat;.cmd;.com;.config;.dll;.jar;.jsp;.htaccess;.htpasswd;.lnk;.php;.ps1;.vbe;.vbs" + /// Default is ".;.asax;.compiled;.ascx;.asmx;.aspx;.bat;.cmd;.com;.config;.cshtml;.dll;.jar;.jsp;.htaccess;.htpasswd;.html;.htm;.lnk;.php;.ps1;.vbe;.vbs" /// public string? ExtensionBlacklist { get; } diff --git a/src/Serenity.Net.Core/ComponentModel/Upload/UploadOptions.cs b/src/Serenity.Net.Core/ComponentModel/Upload/UploadOptions.cs index 75835244cd..63fd666395 100644 --- a/src/Serenity.Net.Core/ComponentModel/Upload/UploadOptions.cs +++ b/src/Serenity.Net.Core/ComponentModel/Upload/UploadOptions.cs @@ -1,4 +1,4 @@ -using Serenity.Web; +using Serenity.Web; namespace Serenity.ComponentModel; @@ -99,8 +99,8 @@ public class UploadOptions : IUploadFileConstraints, IUploadFileOptions, IUpload /// /// Default list of blacklisted extensions; /// - public const string DefaultExtensionBlacklist = ".asax;.compiled;.ascx;.asmx;.aspx;.bat;.cmd;.com;.config;" + - ".dll;.jar;.jsp;.htaccess;.htpasswd;.lnk;.php;.ps1;.vbe;.vbs"; + public const string DefaultExtensionBlacklist = ".;.asax;.compiled;.ascx;.asmx;.aspx;.bat;.cmd;.com;.config;.cshtml;" + + ".dll;.jar;.jsp;.htm;.html;.htaccess;.htpasswd;.lnk;.php;.ps1;.vbe;.vbs"; /// public string? ExtensionBlacklist { get; set; } diff --git a/src/Serenity.Net.Services/Upload/DefaultUploadValidator.cs b/src/Serenity.Net.Services/Upload/DefaultUploadValidator.cs index 04beb06c5d..463fef7092 100644 --- a/src/Serenity.Net.Services/Upload/DefaultUploadValidator.cs +++ b/src/Serenity.Net.Services/Upload/DefaultUploadValidator.cs @@ -1,4 +1,4 @@ -using System.IO; +using System.IO; namespace Serenity.Web; @@ -39,11 +39,12 @@ public void ValidateFile(IUploadFileConstraints constraints, throw new ArgumentNullException(nameof(filename)); isImageExtension = false; - var fileExtension = Path.GetExtension(filename); - + var fileExtension = Path.GetExtension(filename); + if ((constraints.ExtensionBlacklist ?? UploadOptions.DefaultExtensionBlacklist) .Split(new char[] { ',', ';' }, StringSplitOptions.RemoveEmptyEntries) - .Any(x => string.Equals(x.Trim(), fileExtension, StringComparison.OrdinalIgnoreCase))) + .Any(x => string.Equals(x.Trim(), fileExtension, StringComparison.OrdinalIgnoreCase) || + (x.Trim() == "." && string.IsNullOrEmpty(fileExtension)))) throw new ValidationError(string.Format(CultureInfo.CurrentCulture, UploadTexts.Controls.ImageUpload.ExtensionBlacklisted.ToString(localizer), fileExtension));