refuse to load custom map tilesheets with absolute or directory-climbing paths (#368)

3 files changed, 10 insertions, 5 deletions

diff --git a/docs/release-notes.md b/docs/release-notes.md
index 5b102df3..fd59bd07 100644
--- a/docs/release-notes.md
+++ b/docs/release-notes.md
@@ -1,4 +1,4 @@
-# Release notes
+# Release notes
 ## 2.0 (upcoming)
 <!--See [log](https://github.com/Pathoschild/SMAPI/compare/1.10...2.0).-->
 
@@ -30,6 +30,7 @@ For mod developers:
 * Removed support for mods with a non-unique `UniqueID` value in their manifest.
 * Removed access to SMAPI internals through the reflection helper, to discourage fragile mods.
 * Fixed `TimeEvents.AfterDayStarted` being raised during the new-game intro.
+* Fixed SMAPI allowing map tilesheets with absolute or directory-climbing paths. These are now rejected even if the path exists, to avoid problems when players install the mod.
 
 For power users:
 * Added command-line arguments to the SMAPI installer so it can be scripted.
diff --git a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
index 4440ae40..4f5bd2f0 100644
--- a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
+++ b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
@@ -239,6 +239,10 @@ namespace StardewModdingAPI.Framework.ModHelpers
             {
                 string imageSource = tilesheet.ImageSource;
 
+                // validate
+                if (Path.IsPathRooted(imageSource) || imageSource.Split(SContentManager.PossiblePathSeparators).Contains(".."))
+                    throw new ContentLoadException($"The '{imageSource}' tilesheet couldn't be loaded. Tilesheet paths must be a relative path without directory climbing (../).");
+
                 // get seasonal name (if applicable)
                 string seasonalImageSource = null;
                 if (Game1.currentSeason != null)
diff --git a/src/SMAPI/Framework/SContentManager.cs b/src/SMAPI/Framework/SContentManager.cs
index f3a1dd9a..db202567 100644
--- a/src/SMAPI/Framework/SContentManager.cs
+++ b/src/SMAPI/Framework/SContentManager.cs
@@ -21,9 +21,6 @@ namespace StardewModdingAPI.Framework
         /*********
         ** Properties
         *********/
-        /// <summary>The possible directory separator characters in an asset key.</summary>
-        private static readonly char[] PossiblePathSeparators = new[] { '/', '\\', Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar }.Distinct().ToArray();
-
         /// <summary>The preferred directory separator chaeacter in an asset key.</summary>
         private static readonly string PreferredPathSeparator = Path.DirectorySeparatorChar.ToString();
 
@@ -64,8 +61,11 @@ namespace StardewModdingAPI.Framework
         /// <summary>Interceptors which edit matching assets after they're loaded.</summary>
         internal IDictionary<IModMetadata, IList<IAssetEditor>> Editors { get; } = new Dictionary<IModMetadata, IList<IAssetEditor>>();
 
+        /// <summary>The possible directory separator characters in an asset key.</summary>
+        internal static readonly char[] PossiblePathSeparators = new[] { '/', '\\', Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar }.Distinct().ToArray();
+
         /// <summary>The absolute path to the <see cref="ContentManager.RootDirectory"/>.</summary>
-        public string FullRootDirectory => Path.Combine(Constants.ExecutionPath, this.RootDirectory);
+        internal string FullRootDirectory => Path.Combine(Constants.ExecutionPath, this.RootDirectory);
 
 
         /*********