From 1e19a170be1d540e815f89c1ae60c2b53f6123bf Mon Sep 17 00:00:00 2001
From: Jesse Plamondon-Willard <github@jplamondonw.com>
Date: Thu, 12 Oct 2017 22:20:19 -0400
Subject: refuse to load custom map tilesheets with absolute or
 directory-climbing paths (#368)

---
 src/SMAPI/Framework/ModHelpers/ContentHelper.cs | 4 ++++
 src/SMAPI/Framework/SContentManager.cs          | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'src/SMAPI')

diff --git a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
index 4440ae40..4f5bd2f0 100644
--- a/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
+++ b/src/SMAPI/Framework/ModHelpers/ContentHelper.cs
@@ -239,6 +239,10 @@ namespace StardewModdingAPI.Framework.ModHelpers
             {
                 string imageSource = tilesheet.ImageSource;
 
+                // validate
+                if (Path.IsPathRooted(imageSource) || imageSource.Split(SContentManager.PossiblePathSeparators).Contains(".."))
+                    throw new ContentLoadException($"The '{imageSource}' tilesheet couldn't be loaded. Tilesheet paths must be a relative path without directory climbing (../).");
+
                 // get seasonal name (if applicable)
                 string seasonalImageSource = null;
                 if (Game1.currentSeason != null)
diff --git a/src/SMAPI/Framework/SContentManager.cs b/src/SMAPI/Framework/SContentManager.cs
index f3a1dd9a..db202567 100644
--- a/src/SMAPI/Framework/SContentManager.cs
+++ b/src/SMAPI/Framework/SContentManager.cs
@@ -21,9 +21,6 @@ namespace StardewModdingAPI.Framework
         /*********
         ** Properties
         *********/
-        /// <summary>The possible directory separator characters in an asset key.</summary>
-        private static readonly char[] PossiblePathSeparators = new[] { '/', '\\', Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar }.Distinct().ToArray();
-
         /// <summary>The preferred directory separator chaeacter in an asset key.</summary>
         private static readonly string PreferredPathSeparator = Path.DirectorySeparatorChar.ToString();
 
@@ -64,8 +61,11 @@ namespace StardewModdingAPI.Framework
         /// <summary>Interceptors which edit matching assets after they're loaded.</summary>
         internal IDictionary<IModMetadata, IList<IAssetEditor>> Editors { get; } = new Dictionary<IModMetadata, IList<IAssetEditor>>();
 
+        /// <summary>The possible directory separator characters in an asset key.</summary>
+        internal static readonly char[] PossiblePathSeparators = new[] { '/', '\\', Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar }.Distinct().ToArray();
+
         /// <summary>The absolute path to the <see cref="ContentManager.RootDirectory"/>.</summary>
-        public string FullRootDirectory => Path.Combine(Constants.ExecutionPath, this.RootDirectory);
+        internal string FullRootDirectory => Path.Combine(Constants.ExecutionPath, this.RootDirectory);
 
 
         /*********
-- 
cgit