diff options
| -rw-r--r-- | docs/release-notes.md | 3 | ||||
| -rw-r--r-- | src/SMAPI/Framework/ModHelpers/ContentHelper.cs | 4 | ||||
| -rw-r--r-- | src/SMAPI/Framework/SContentManager.cs | 8 |
3 files changed, 10 insertions, 5 deletions
diff --git a/docs/release-notes.md b/docs/release-notes.md index 5b102df3..fd59bd07 100644 --- a/docs/release-notes.md +++ b/docs/release-notes.md @@ -1,4 +1,4 @@ -# Release notes +# Release notes ## 2.0 (upcoming) <!--See [log](https://github.com/Pathoschild/SMAPI/compare/1.10...2.0).--> @@ -30,6 +30,7 @@ For mod developers: * Removed support for mods with a non-unique `UniqueID` value in their manifest. * Removed access to SMAPI internals through the reflection helper, to discourage fragile mods. * Fixed `TimeEvents.AfterDayStarted` being raised during the new-game intro. +* Fixed SMAPI allowing map tilesheets with absolute or directory-climbing paths. These are now rejected even if the path exists, to avoid problems when players install the mod. For power users: * Added command-line arguments to the SMAPI installer so it can be scripted. diff --git a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs index 4440ae40..4f5bd2f0 100644 --- a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs +++ b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs @@ -239,6 +239,10 @@ namespace StardewModdingAPI.Framework.ModHelpers { string imageSource = tilesheet.ImageSource; + // validate + if (Path.IsPathRooted(imageSource) || imageSource.Split(SContentManager.PossiblePathSeparators).Contains("..")) + throw new ContentLoadException($"The '{imageSource}' tilesheet couldn't be loaded. Tilesheet paths must be a relative path without directory climbing (../)."); + // get seasonal name (if applicable) string seasonalImageSource = null; if (Game1.currentSeason != null) diff --git a/src/SMAPI/Framework/SContentManager.cs b/src/SMAPI/Framework/SContentManager.cs index f3a1dd9a..db202567 100644 --- a/src/SMAPI/Framework/SContentManager.cs +++ b/src/SMAPI/Framework/SContentManager.cs @@ -21,9 +21,6 @@ namespace StardewModdingAPI.Framework /********* ** Properties *********/ - /// <summary>The possible directory separator characters in an asset key.</summary> - private static readonly char[] PossiblePathSeparators = new[] { '/', '\\', Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar }.Distinct().ToArray(); - /// <summary>The preferred directory separator chaeacter in an asset key.</summary> private static readonly string PreferredPathSeparator = Path.DirectorySeparatorChar.ToString(); @@ -64,8 +61,11 @@ namespace StardewModdingAPI.Framework /// <summary>Interceptors which edit matching assets after they're loaded.</summary> internal IDictionary<IModMetadata, IList<IAssetEditor>> Editors { get; } = new Dictionary<IModMetadata, IList<IAssetEditor>>(); + /// <summary>The possible directory separator characters in an asset key.</summary> + internal static readonly char[] PossiblePathSeparators = new[] { '/', '\\', Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar }.Distinct().ToArray(); + /// <summary>The absolute path to the <see cref="ContentManager.RootDirectory"/>.</summary> - public string FullRootDirectory => Path.Combine(Constants.ExecutionPath, this.RootDirectory); + internal string FullRootDirectory => Path.Combine(Constants.ExecutionPath, this.RootDirectory); /********* |