Filter requests accessing TMPMEDIA_DIR folder. (#905)

* Filter requests accessing TMPMEDIA_DIR folder.

* Filter access to private dir.

Author: claudiamurialdo

dotnet/src/dotnetcore/GxClasses.Web/Middleware/GXRouting.cs

@@ -44,7 +44,7 @@ internal class GXRouting : IGXRouting
 
 		static Regex SDSVC_PATTERN = new Regex("([^/]+/)*(sdsvc_[^/]+/[^/]+)(\\?.*)*");
 
-		const string PRIVATE_DIR = "private";
+		internal const string PRIVATE_DIR = "private";
 		public Dictionary<string, string> servicesPathUrl = new Dictionary<string, string>();
 		public Dictionary<String, Dictionary<string, SingleMap>> servicesMap = new Dictionary<String, Dictionary<string, SingleMap>>();
 		public Dictionary<String, Dictionary<Tuple<string, string>, String>> servicesMapData = new Dictionary<String, Dictionary<Tuple<string, string>, string>>();

dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs

@@ -370,14 +370,22 @@ public void Configure(IApplicationBuilder app, Microsoft.AspNetCore.Hosting.IHos
 			if (File.Exists(rewriteFile))
 				AddRewrite(app, rewriteFile, baseVirtualPath);
 
+			string tempMediaDir = string.Empty;
+			if (Config.GetValueOf("TMPMEDIA_DIR", out string mediaPath) && !PathUtil.IsAbsoluteUrlOrAnyScheme(mediaPath))
+			{
+				tempMediaDir = mediaPath;
+			}
 			app.UseStaticFiles(new StaticFileOptions()
 			{
 				FileProvider = new PhysicalFileProvider(LocalPath),
 				RequestPath = new PathString($"{baseVirtualPath}"),
 				OnPrepareResponse = s =>
 				{
-					var path = s.Context.Request.Path;
-					if (path.HasValue &&  path.Value.IndexOf($"/{APP_SETTINGS}", StringComparison.OrdinalIgnoreCase)>=0)
+					PathString path = s.Context.Request.Path;
+					bool appSettingsPath = path.HasValue && path.Value.IndexOf($"/{APP_SETTINGS}", StringComparison.OrdinalIgnoreCase) >= 0;
+					bool tempMediaPath = path.StartsWithSegments($"{baseVirtualPath}/{tempMediaDir}", StringComparison.OrdinalIgnoreCase);
+					bool privatePath = path.StartsWithSegments($"{baseVirtualPath}/{GXRouting.PRIVATE_DIR}", StringComparison.OrdinalIgnoreCase);
+					if (appSettingsPath || tempMediaPath || privatePath)
 					{
 						s.Context.Response.StatusCode = 401;
 						s.Context.Response.Body = Stream.Null;