extract GetFileName to separate method and handle invalid characters

2025-10-25 15:19:22 +00:00 · 2024-05-23 17:05:32 +02:00
parent 132a466c9a
commit ad46bc07dd
1 changed files with 24 additions and 2 deletions
--- a/src/Velopack/UpdateManager.cs
+++ b/src/Velopack/UpdateManager.cs
@@ -1,6 +1,7 @@
 using System;
 using System.IO;
 using System.Linq;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
@@ -231,7 +232,7 @@ namespace Velopack
            var appTempDir = Locator.AppTempDir!;
            var appPackageDir = Locator.PackagesDir!;

-            var completeFile = Path.Combine(appPackageDir, Path.GetFileName(targetRelease.FileName));
+            var completeFile = Path.Combine(appPackageDir, GetSafeFilename(targetRelease.FileName));
            var incompleteFile = completeFile + ".partial";

            try {
@@ -260,7 +261,7 @@ namespace Velopack
                                    $"Only full update will be available.");
                            } else {
                                using var _1 = Utility.GetTempDirectory(out var deltaStagingDir, appTempDir);
-                                string basePackagePath = Path.Combine(appPackageDir, Path.GetFileName(updates.BaseRelease.FileName));
+                                string basePackagePath = Path.Combine(appPackageDir, GetSafeFilename(updates.BaseRelease.FileName));
                                if (!File.Exists(basePackagePath))
                                    throw new Exception($"Unable to find base package {basePackagePath} for delta update.");
                                EasyZip.ExtractZipToDirectory(Log, basePackagePath, deltaStagingDir);
@@ -318,6 +319,27 @@ namespace Velopack

                CleanPackagesExcept(completeFile);
            }
+
+
+            // Ensures that the file name is safe for writing to disk without escaping the packages folder
+            static string GetSafeFilename(string fileName)
+            {
+                string safeFileName = Path.GetFileName(fileName);
+                char[] invalidFileNameChars = Path.GetInvalidFileNameChars();
+
+                if (safeFileName.IndexOfAny(invalidFileNameChars) != -1 ) {
+                    StringBuilder safeName = new();
+                    foreach(char ch in safeFileName) { 
+                        if (Array.IndexOf(invalidFileNameChars, ch) == -1)
+                            safeName.Append(ch);
+                        else
+                            safeName.Append('_');
+                    }
+                    safeFileName = safeName.ToString();
+                }
+
+                return safeFileName;
+            }
        }

        /// <summary>