Orchard – Piedone Avatar Double Extension Threat


So, I was still developing for a site that using Orchard CMS. I finally get into security testing. Well, that’s a lot of effort to do. 😀

But what I got is that there is double extension threat to my application. At first, I manage to fix it through Media module on Orchard. Then I think it was already safe and clear. I am patiently waiting for the result. What I got is the opposite. The threat still shows up. And it brings me to one conclusion: the problem is in the Piedone Avatar (the current module that I use for avatars in my site).

As usual, I debug the application first, put breakpoints here and there. Searching for the suitable location and looking for the steps. I got the way and I put some modification. The modification that I made is on the IAvatarsService interface , AvatarsServiceExtension class, and AvatarsService (for I have made a modification on the interface).

Here is the added code:

IAvatarsService

...

/// <summary>
/// Saves an avatar file
/// </summary>
/// <param name="id">Id of the content item (user) to attach the file to</param>
/// <param name="stream">The content of the file</param>
/// <param name="extension">The extension of the file</param>
/// <param name="filename">The name of the file (for double extension checking)</param>
/// <returns>True or false indicating success or failure</returns>
bool SaveAvatarFile(int id, Stream stream, string extension, string filename);

...

AvatarsServiceExtension

...

/// <summary>
/// Saves an avatar file
/// </summary>
/// <param name="id">Id of the content item (user) to attach the file to</param>
/// <param name="postedFile">A posted image file</param>
/// <returns>True or false indicating success or failure</returns>
public static bool SaveAvatarFile(this IAvatarsService service, int id, HttpPostedFileBase postedFile)
{
    return service.SaveAvatarFile(id, postedFile.InputStream, Path.GetExtension(postedFile.FileName), postedFile.FileName);
    // I add postedFile.FileName so that it will check the extension first.
}

...

AvatarService

        ...

        public bool SaveAvatarFile(int id, Stream stream, string extension, string filename)
        {
            ...

            if (containsHarmfulDoubleExtension(filename) || !IsFileAllowed(filePath))
            {
                ValidationDictionary.AddError(AvatarsServiceValidationKey.NotAllowedFileType, T("This file type is not allowed as an avatar."));

                return false;
            }

            ...
        }

        /// <summary>
        /// To check whether it have a double extension (and harmful) or not.
        /// Leave the file be like it is if there is a double extension if not harmful
        /// </summary>
        /// <param name="filename">name of the file</param>
        /// <returns>true if contains</returns>
        public bool containsHarmfulDoubleExtension(string filename)
        {
            string harmfulExtensions = "exe php cs ascx cshtml html obj class java bat deb vb vbe reg php3 php4 php5";

            bool hasil = false;
            List<string> splittedFileName = filename.Split('.').ToList<string>();
            if (splittedFileName.Count == 2)
                return false;
            else
            {
                // more dots are found.
                splittedFileName.RemoveAt(0); // remove the first element (considered as a name)
                foreach (string singleBlast in splittedFileName)
                {
                    hasil = harmfulExtensions.ToUpperInvariant().Contains(singleBlast.ToUpperInvariant());
                    if (hasil == true)
                        break;
                }
            }

            return hasil;
        }

        ...

If there is any suggestion you may add or repair on my code, well, please be kind 🙂

Advertisements

.NET – Linq, foreach, and eyesore


Hello all!

I was building an asp site. So, I got into a feature that I can use either linq and foreach. What is about the eyesore? You’ll get it later.

Well, the feature that I wanted to make is to filter a list based on a criteria. Let’s just say that I had a big list of products. The filter would be “include item”, “exclude item”, and “I don’t care if that exist”. The filter was based on the product’s category.

First, I created a function that would receive all of the products. From that list, I created a smaller list that only contained all included items. I used linq to include them all! Simple and cost me a small amount of LOC. Then from that all included products, I removed all those that doesn’t included inside it.

Well, for once or twice it works fine. All sorted well. Then I met a process when I tested my small function. I tried to exclude all. What I got when I’m using linq is error. Error, error everywhere! Exceptions, exceptions everywhere! Of course I didn’t manage to catch it through. Why should I? I was testing, I wanted to know the location of possible exceptions first.

Well, that error confused me. Why? Even though I wrote linq in multiple lines, it treated as one error. Plus, I had to read a long linq statement – yes, it was so damn long about three lines with full width on screen. It gives me sore eyes! Hell! I read through out the error message, then linq, and repeat, and poof! I surrender.

Then I decided to take the linq that exclude the products into a foreach. Pheeew! I feel so glad when I can track the bug easily. What I got is the list got emptied by the time is still searching on the list. Or, some index were skipped just like that because I remove the element. Whoa! I realized that I was making a huge mistake there.

So, in the end, I created a temporary list that contains the same element as the included items list. But I was not just assign it and done. First I instantiate an empty temporary list, then I add all included items into it. Later on, I use foreach to search on the included items, but I delete the item on the temporary list.

It sounds so complex, why do I have to use foreach then a temporary list for such simple job? Why not includedList.RemoveAll(criteria)?

Because I need a good way to track things down. Also, I consider a good way to extend it in the future, so the method may be used by other class. Simple and easy to manage, debug, but cost more LOC, that’s using foreach. Well, you may say even more memories and more time. But using linq, it is hard to track things down.

I still recommend you to use linq anyway, it is a great way to get things done, but when you stuck up, use my suggestion and way then 🙂

I’ll post the code at about 12.00(GMT+7) so you could see the difference. Happy coding!

LINQ:

productList.RemoveAll(o => o.Fields["Category"].Value.Contains(criteria));
// it's just a short code, yes, but that criteria went so long and contains private data, I can't post it here.

using foreach:

productList = RemoveFromList(filter, productList);

private List<Item> RemoveFromList(string filter, List<Item> list)
{
    List<Item> temp = new List<Item>();
    temp.AddRange(list); // the temporary list
    foreach (Item single in list) // I loop on the main list
    {
        foreach (Item child in single.Children)
        {
            if (!child.Name.StartsWith("xxx") && !child.Name.StartsWith("yyy")) // sorting criteria
            {
                temp.Remove(single);
            }
        }
    }
    return temp;
}

Random Strangers


Tonight, I feel so great. How’s so? I achieve something big. A thing we all could do, but we all “could not” do. It is helping strangers.

Tonight I did it. It feels so great. I don’t know. But I feel that I am so useful. Someone finds me and feel glad and thankful for they meet me. I feel great because of it.

First, I decided to buy a dinner. I usually buy Maduran satay with rice and noodle. The owner of the stall, is usually an lady with her son grilling the satays. But this night, I didn’t see her. I saw her husband and other son instead. So, I asked him where she is just to cure my curiosity. What I found? She was sick with a long not cured hyperuricemia. Wow?! She must be in a bad shape! I just happened to know a traditional medicine for that. What I did? I told the man about the medicine, but he didn’t understand. I feel, “Uh, oh, this is bad!” What I did next is I am looking for the medicine I told him, and told him how to use it. He felt so grateful, so happy, his eyes are shining, like when a kid get a beautiful and attractive lolipop or ice cream! And I’m so happy to see that.

Second, I was exercising my violin. Suddenly my flat neighbour came to me and asked about my blood type. I answered quickly and they feel relieved. They asked me to come with them after that. They told me that their friend suffered an accident. A bus hit their friend and there is a bleeding in her head. And they need five pockets of B+ blood to help her. I think that it must be so horrible! Well, I then go quickly to give my blood. Because, well I just want to and like to give. And in mood to give. They all feel relieved.

Maybe, just maybe, the regular satay stall owner would be dead soon that time, but I may help and heal her. Maybe, those people whose friend was having a bleeding, can go to central red cross and get a blood donor, but it maybe too late. Maybe it is not just the correct time. Just maybe, I have helped two lives. No, I have helped more than that. Because they feel great, they feel that I am willing to give and happy to give. They will pass it on. And I am planting a tree that consist of me continuously giving and being gracious, with others pass it on as the branch, and our good feelings as it’s leafs and fruits. Happy is simple, learn to give.

Great Violin Tutorial


Hi all!

About a month ago, I bought a violin. I bought it because my ears love classical music, also because I can sing, but can not play any instrument at all. So I decide to buy a violin and learn it from scratch alone (without any mentor).

I dig into the Internet. Here’s the journal.

Day 1: null.

Day 2: I got a site. violinonline.com I have to say that it was a good site. It contains all the basics, techniques, and stuffs! I learn simple things from that.

Day 5: Dig into torrent and get the Suzuki violin books. I want to buy this book, but until now, I can’t find any place around to buy it.

Day 28 (yesterday): I was stumbled into ruland belajar biola. It was a good site for those who understands Bahasa. Its guidance is well structured and based on the author’s own experience. If you don’t understand the language, you can still view on the pictures.

In the end: I tell you what people, learning violin is hard. But everything is easy is easy if you have a motivation. Well, my motivation is to master on violin. So, I won’t stop learning. 🙂