From 1e19a170be1d540e815f89c1ae60c2b53f6123bf Mon Sep 17 00:00:00 2001
From: Jesse Plamondon-Willard <github@jplamondonw.com>
Date: Thu, 12 Oct 2017 22:20:19 -0400
Subject: refuse to load custom map tilesheets with absolute or
 directory-climbing paths (#368)

---
 src/SMAPI/Framework/ModHelpers/ContentHelper.cs | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/SMAPI/Framework/ModHelpers')

diff --git a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
index 4440ae40..4f5bd2f0 100644
--- a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
+++ b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
@@ -239,6 +239,10 @@ namespace StardewModdingAPI.Framework.ModHelpers
             {
                 string imageSource = tilesheet.ImageSource;
 
+                // validate
+                if (Path.IsPathRooted(imageSource) || imageSource.Split(SContentManager.PossiblePathSeparators).Contains(".."))
+                    throw new ContentLoadException($"The '{imageSource}' tilesheet couldn't be loaded. Tilesheet paths must be a relative path without directory climbing (../).");
+
                 // get seasonal name (if applicable)
                 string seasonalImageSource = null;
                 if (Game1.currentSeason != null)
-- 
cgit