Merge pull request from GHSA-6324-52pr-h4p5

Zeegaan · bergmania · web-flow · commit 13cc320f1911 · 2023-12-11T13:59:03.000+01:00
* Bump version * Fix GHSA-6324-52pr-h4p5 * Fix GHSA-6324-52pr-h4p5 --------- Co-authored-by: Bjarke Berg <mail@bergmania.dk> Co-authored-by: Zeegaan <nge@umbraco.dk>
diff --git a/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/CreatedPackageSchemaRepository.cs b/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/CreatedPackageSchemaRepository.cs
@@ -266,7 +266,12 @@ public string ExportPackage(PackageDefinition definition)
                     definition.Name.Replace(' ', '_')));
             Directory.CreateDirectory(directoryName);
 
+            var expectedRoot = _hostingEnvironment.MapPathContentRoot(_createdPackagesFolderPath);
             var finalPackagePath = Path.Combine(directoryName, fileName);
+            if (finalPackagePath.StartsWith(expectedRoot) == false)
+            {
+                throw new IOException("Invalid path due to the package name");
+            }
 
             // Clean existing files
             foreach (var packagePath in new[] { definition.PackagePath, finalPackagePath })
