#4133 Backfit of : Prevent use of .. or : in file path #3552 (#4138)

MaceySoftware · web-flow · commit 445bc609bc11 · 2024-08-06T10:19:59.000-07:00
diff --git a/Source/Csla.Shared/Reflection/MethodCaller.cs b/Source/Csla.Shared/Reflection/MethodCaller.cs
@@ -234,7 +234,11 @@ public static Type GetType(string typeName, bool throwOnError, bool ignoreCase)
         string[] splitName = typeName.Split(',');
         if (splitName.Length > 2)
         {
-          var asm = AssemblyLoadContext.Default.LoadFromAssemblyPath(AppContext.BaseDirectory + splitName[1].Trim() + ".dll");
+          var path = AppContext.BaseDirectory + splitName[1].Trim() + ".dll";
+          if (path.Contains("..") || path.Contains(':'))
+            throw new TypeLoadException(path);
+
+          var asm = AssemblyLoadContext.Default.LoadFromAssemblyPath(path);
           return asm.GetType(splitName[0].Trim());
         }
         else

Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,11 @@ public static Type GetType(string typeName, bool throwOnError, bool ignoreCase)`
`234`	`234`	`string[] splitName = typeName.Split(',');`
`235`	`235`	`if (splitName.Length > 2)`
`236`	`236`	`{`
`237`		`- var asm = AssemblyLoadContext.Default.LoadFromAssemblyPath(AppContext.BaseDirectory + splitName[1].Trim() + ".dll");`
	`237`	`+ var path = AppContext.BaseDirectory + splitName[1].Trim() + ".dll";`
	`238`	`+ if (path.Contains("..") \|\| path.Contains(':'))`
	`239`	`+ throw new TypeLoadException(path);`
	`240`	`+`
	`241`	`+ var asm = AssemblyLoadContext.Default.LoadFromAssemblyPath(path);`
`238`	`242`	`return asm.GetType(splitName[0].Trim());`
`239`	`243`	`}`
`240`	`244`	`else`