From 9b17351592fbde376506ba6705dbcc7a74a2a195 Mon Sep 17 00:00:00 2001
From: Mitchel Sellers <msellers@iowacomputergurus.com>
Date: Sun, 21 Aug 2022 00:51:39 -0500
Subject: [PATCH] Restrict log viewing to files only

---
 .../Services/ServerSettingsLogsController.cs              | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Dnn.AdminExperience/Dnn.PersonaBar.Extensions/Services/ServerSettingsLogsController.cs b/Dnn.AdminExperience/Dnn.PersonaBar.Extensions/Services/ServerSettingsLogsController.cs
index 54ff8fd7158..5d8e3b1ff05 100644
--- a/Dnn.AdminExperience/Dnn.PersonaBar.Extensions/Services/ServerSettingsLogsController.cs
+++ b/Dnn.AdminExperience/Dnn.PersonaBar.Extensions/Services/ServerSettingsLogsController.cs
@@ -1,4 +1,4 @@
-// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information
 
@@ -52,7 +52,8 @@ public HttpResponseMessage GetLogFile(string fileName)
         {
             try
             {
-                var logFilePath = Path.Combine(Globals.ApplicationMapPath, @"portals\_default\logs", fileName);
+                var cleanedFileName = Path.GetFileName(fileName);
+                var logFilePath = Path.Combine(Globals.ApplicationMapPath, @"portals\_default\logs", cleanedFileName);
                 return this.CreateLogFileResponse(logFilePath);
             }
             catch (ArgumentException exc)
@@ -72,7 +73,8 @@ public HttpResponseMessage GetUpgradeLogFile(string logName)
             try
             {
                 var providerPath = DataProvider.Instance().GetProviderPath();
-                var logFilePath = Path.Combine(providerPath, logName);
+                var cleanedLogName = Path.GetFileName(logName);
+                var logFilePath = Path.Combine(providerPath, cleanedLogName);
                 return this.CreateLogFileResponse(logFilePath);
             }
             catch (ArgumentException exc)