Headline
CVE-2023-26564: GitHub - SyncfusionExamples/ej2-aspcore-file-provider: ej2-aspcore-file-provider
The Syncfusion EJ2 ASPCore File Provider 3ac357f is vulnerable to Models/PhysicalFileProvider.cs directory traversal. As a result, an unauthenticated attacker can list files within a directory, download any file, or upload any file to any directory accessible by the web server.
ASP.NET Core service for the file manager component
This repository contains the ASP.NET Core file system providers for the Essential JS 2 File Manager component.
Key Features
A file system provider is an API for access to the physical file system in the FileManager control. It also provides the methods for performing various file actions like creating a new folder, renaming files and deleting files.
ASP.NET Core file system provider serves the physical file system for the file manager component.
The following actions can be performed with ASP.NET Core file system Provider.
Actions
Description
Read
Read the files from the local file storage.
Details
Gets a file’s metadata which consists of Type, Size, Location and Modified date.
Download
Download the selected file or folder.
Upload
Upload’s the file. t accepts uploaded media with the following characteristics:
- Maximum file size: 30MB
- Accepted Media MIME types: /
| | Create | Create a new folder. | | Delete | Delete a folder or file. | | Copy | Copies the contents of the file from the target location . | | Move | Paste the copied files to the desired location. | | Rename | Rename a folder or file. | | Search | Search a file or folder. |How to run this application?
To run this application, you need to first clone the ej2-aspcore-file-provider repository and then navigate to its appropriate path where it has been located in your system.
To do so, open the command prompt and run the below commands one after the other.
git clone https://github.com/SyncfusionExamples/ej2-aspcore-file-provider ej2-aspcore-file-provider
cd ej2-aspcore-file-provider
Running application
Once cloned, open solution file in visual studio.Then build the project after restoring the nuget packages and run it.
File Manager AjaxSettings
To access the basic actions such as Read, Delete, Copy, Move, Rename, Search, and Get Details of File Manager using Azure service, just map the following code snippet in the Ajaxsettings property of File Manager.
Here, the hostUrl will be your locally hosted port number.
var hostUrl = http://localhost:62870/;
ajaxSettings: {
url: hostUrl + 'api/FileManager/FileOperations'
}
File download AjaxSettings
To perform download operation, initialize the downloadUrl property in ajaxSettings of the File Manager component.
var hostUrl = http://localhost:62870/;
ajaxSettings: {
url: hostUrl + 'api/FileManager/FileOperations',
downloadUrl: hostUrl +'api/FileManager/Download'
}
File upload AjaxSettings
To perform upload operation, initialize the uploadUrl property in ajaxSettings of the File Manager component.
var hostUrl = http://localhost:62870/;
ajaxSettings: {
url: hostUrl + 'api/FileManager/FileOperations',
uploadUrl: hostUrl +'api/FileManager/Upload'
}
File image preview AjaxSettings
To perform image preview support in the File Manager component, initialize the getImageUrl property in ajaxSettings of the File Manager component.
var hostUrl = http://localhost:62870/;
ajaxSettings: {
url: hostUrl + 'api/FileManager/FileOperations',
getImageUrl: hostUrl +'api/FileManager/GetImage'
}
The FileManager will be rendered as the following.
Support
Product support is available for through following mediums.
- Creating incident in Syncfusion Direct-trac support system or Community forum.
- New GitHub issue.
- Ask your query in Stack Overflow with tag syncfusion and ej2.
License
Check the license detail here.
Changelog
Check the changelog here
© Copyright 2019 Syncfusion, Inc. All Rights Reserved. The Syncfusion Essential Studio license and copyright applies to this distribution.