Description
The code is using the C# Helper method Path.Combine()
in multiple places. For example: https://github.com/FubarDevelopment/WebDavServer/blob/master/src/FubarDev.WebDavServer.FileSystem.DotNet/DotNetDirectory.cs#L101
Do you know that using this method might result in some unwanted behaviours and could cause serious security issues?
Like explained in the remarks of the API documentation (https://msdn.microsoft.com/de-de/library/fyy7a5kt%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396) the method call
Path.Combine(@"C:\MyWebDavDir", @"C:\Passwords\VerySecretFile.txt")
will result in "C:\Passwords\VerySecretFile.txt".
Like in some of the methods in the DotNetFileSystem
classes, the second argument of Path.Combine is often user-defined and therefore it might be possible to leave the WebDav root directory and read/write to any file on the system. At least on Windows.
I din't check the full code to make sure this is actually possible, but I'd recommend to replace every call to Path.Combine with one to an own more secure implementation.
And by the way: Many thanks for this awesome library!
Kind regards, Marcus Wichelmann