Merge pull request #1416 from ONLYOFFICE/fix/66463

Fix bug #66463

DesktopEditor/common/Path.cpp

@@ -31,6 +31,7 @@
  */
 #include "Path.h"
 #include "File.h"
+#include <stack>
 
 #if defined(_WIN32) || defined (_WIN64)
 #include <tchar.h>
@@ -191,4 +192,61 @@ namespace NSSystemPath
 	{
 		return NormalizePathTemplate<wchar_t>(strFileName, canHead);
 	}
+
+	std::wstring ShortenPath(const std::wstring &strPath, const bool& bRemoveExternalPath)
+	{
+		std::stack<std::wstring> arStack;
+		std::wstring wsToken;
+
+		for (size_t i = 0; i < strPath.size(); ++i) 
+		{
+			if (L'/' == strPath[i] || L'\\' == strPath[i])
+			{
+				if (L".." == wsToken)
+				{
+					if (!arStack.empty() && L".." != arStack.top())
+						arStack.pop();
+					else
+						arStack.push(wsToken);
+				}
+				else if (L"." != wsToken && !wsToken.empty())
+					arStack.push(wsToken);
+
+				wsToken.clear();
+			}
+			else
+				wsToken += strPath[i];
+		}
+
+		if (L".." == wsToken)
+		{
+			if (!arStack.empty() && L".." == arStack.top())
+				arStack.pop();
+			else
+				arStack.push(wsToken);
+		}
+		else if (L"." != wsToken && !wsToken.empty())
+			arStack.push(wsToken);
+
+		wsToken.clear();
+
+		if (arStack.empty())
+			return std::wstring();
+
+		std::wstring wsNewPath;
+
+		while (!arStack.empty()) 
+		{
+			if (bRemoveExternalPath && L".." == arStack.top())
+				break;
+
+			wsNewPath = arStack.top() + L'/' + wsNewPath;
+			arStack.pop();
+		}
+
+		wsNewPath.pop_back();
+
+		return wsNewPath;
+	}
+
 }

DesktopEditor/common/Path.h

@@ -43,6 +43,7 @@ namespace NSSystemPath
 	KERNEL_DECL std::wstring Combine(const std::wstring& strLeft, const std::wstring& strRight);
 	KERNEL_DECL std::string NormalizePath(const std::string& strFileName, const bool& canHead = false);
 	KERNEL_DECL std::wstring NormalizePath(const std::wstring& strFileName, const bool& canHead = false);
+	KERNEL_DECL std::wstring ShortenPath(const std::wstring& strPath, const bool& bRemoveExternalPath = false);
 }
 
 #endif //_BUILD_PATH_CROSSPLATFORM_H_

DesktopEditor/raster/Metafile/svg/SvgObjects/CImage.cpp

@@ -3,56 +3,11 @@
 #include "../CSvgFile.h"
 #include "../../graphics/Image.h"
 #include "../../../BgraFrame.h"
-
-#include <stack>
+#include "../../common/Path.h"
+#include "../../Common/ProcessEnv.h"
 
 namespace SVG
 {
-	std::wstring ShortenPath(const std::wstring& wsPath)
-	{
-		std::stack<std::wstring> arStack;
-		std::wstring wsToken;
-		std::wstring wsNewPath;
-
-		std::function<void()> checkToken = [&]()
-		{
-			if (L".." == wsToken)
-			{
-				if (!arStack.empty() && L".." != arStack.top())
-					arStack.pop();
-				else
-					arStack.push(wsToken);
-			}
-			else if (L"." != wsToken && !wsToken.empty())
-				arStack.push(wsToken);
-
-			wsToken.clear();
-		};
-
-		for (size_t i = 0; i < wsPath.size(); ++i) 
-		{
-			if (L'/' == wsPath[i] || L'\\' == wsPath[i])
-				checkToken();
-			else
-				wsToken += wsPath[i];
-		}
-
-		checkToken();
-
-		if (arStack.empty())
-			return std::wstring();
-
-		while (!arStack.empty()) 
-		{
-			wsNewPath = arStack.top() + L'/' + wsNewPath;
-			arStack.pop();
-		}
-
-		wsNewPath.pop_back();
-
-		return wsNewPath;
-	}
-
 	CImage::CImage(XmlUtils::CXmlNode& oNode, CRenderedObject* pParent)
 		: CRenderedObject(oNode, pParent)
 	{
@@ -106,15 +61,19 @@ namespace SVG
 		}
 
 		#ifndef METAFILE_DISABLE_FILESYSTEM
-		std::wstring wsFilePath = ShortenPath(m_wsHref);
+		std::wstring wsFilePath = NSSystemPath::ShortenPath(m_wsHref);
 
-		if (!wsFilePath.empty() && L'.' != wsFilePath[0])
-		{
-			wsFilePath = pFile->GetWorkingDirectory() + L'/' + wsFilePath;
+		bool bIsAllowExternalLocalFiles = true;
+		if (NSProcessEnv::IsPresent(NSProcessEnv::Converter::gc_allowPrivateIP))
+			bIsAllowExternalLocalFiles = NSProcessEnv::GetBoolValue(NSProcessEnv::Converter::gc_allowPrivateIP);
 
-			if (!NSFile::CFileBinary::Exists(wsFilePath) || !NSFile::CFileBinary::ReadAllBytes(wsFilePath, &pBuffer, ulSize))
-				return false;
-		}
+		if (!bIsAllowExternalLocalFiles && wsFilePath.length() >= 3 && L"../" == wsFilePath.substr(0, 3))
+			return true;
+
+		wsFilePath = pFile->GetWorkingDirectory() + L'/' + wsFilePath;
+
+		if (!NSFile::CFileBinary::Exists(wsFilePath) || !NSFile::CFileBinary::ReadAllBytes(wsFilePath, &pBuffer, ulSize))
+			return false;
 		#endif
 
 		if (NULL == pBuffer)

HtmlFile2/htmlfile2.cpp

@@ -102,6 +102,25 @@ std::wstring EncodeXmlString(const std::wstring& s)
 	return sRes;
 }
 
+bool GetStatusUsingExternalLocalFiles()
+{
+	if (NSProcessEnv::IsPresent(NSProcessEnv::Converter::gc_allowPrivateIP))
+		return NSProcessEnv::GetBoolValue(NSProcessEnv::Converter::gc_allowPrivateIP);
+
+	return true;
+}
+
+bool CanUseThisPath(const std::wstring& wsPath, bool bIsAllowExternalLocalFiles)
+{
+	if (bIsAllowExternalLocalFiles)
+		return true;
+
+	if (wsPath.length() >= 3 && L"../" == wsPath.substr(0, 3))
+		return false;
+
+	return true;
+}
+
 class CHtmlFile2_Private
 {
 public:
@@ -1849,9 +1868,12 @@ class CHtmlFile2_Private
 			return;
 		}
 
-		bool bIsAllowExternalLocalFiles = true;
-		if (NSProcessEnv::IsPresent(NSProcessEnv::Converter::gc_allowPrivateIP))
-			bIsAllowExternalLocalFiles = NSProcessEnv::GetBoolValue(NSProcessEnv::Converter::gc_allowPrivateIP);
+		const bool bIsAllowExternalLocalFiles = GetStatusUsingExternalLocalFiles();
+
+		sSrcM = NSSystemPath::ShortenPath(sSrcM);
+
+		if (!CanUseThisPath(sSrcM, bIsAllowExternalLocalFiles))
+			return;
 
 		int nImageId = -1;
 		std::wstring sImageSrc, sExtention;
@@ -2144,7 +2166,12 @@ class CHtmlFile2_Private
 			size_t nHRefLen = sSVG.find(L"\"", nHRef);
 			if(nHRefLen == std::wstring::npos)
 				break;
-			std::wstring sImageName = sSVG.substr(nHRef, nHRefLen - nHRef);
+
+			const std::wstring sImageName = NSSystemPath::ShortenPath(sSVG.substr(nHRef, nHRefLen - nHRef));
+
+			if (!CanUseThisPath(sImageName, GetStatusUsingExternalLocalFiles()))
+				break;
+
 			std::wstring sTIN(sImageName);
 			sTIN.erase(std::remove_if(sTIN.begin(), sTIN.end(), [] (wchar_t ch) { return std::iswspace(ch) || (ch == L'^'); }), sTIN.end());
 			sTIN = NSFile::GetFileName(sTIN);