Merge commit from fork

Fix a path traversal bug in LocalResourceUrlManager

Author: exyi

src/Framework/Framework/ResourceManagement/LocalResourceUrlManager.cs

@@ -93,8 +93,23 @@ protected virtual string GetVersionHash(ILocalResourceLocation location, IDotvvm
             return TryLoadAlternativeFile(name, hash, context);
         }
 
+        private static bool IsAllowedFileName(string name)
+        {
+            if (name.StartsWith("."))
+                return false;
+            if (name.Contains('/') || name.Contains('\\'))
+                return false;
+            if (name.IndexOfAny(Path.GetInvalidFileNameChars()) >= 0)
+                return false;
+
+            return name.EndsWith(".map", StringComparison.OrdinalIgnoreCase);
+        }
+
         private ILocalResourceLocation? TryLoadAlternativeFile(string name, string hash, IDotvvmRequestContext context)
         {
+            if (!IsAllowedFileName(name))
+                return null;
+
             if (alternateDirectories != null && alternateDirectories.TryGetValue(hash, out var filePath) && filePath != null)
             {
                 var directory = Path.GetDirectoryName(Path.Combine(context.Configuration.ApplicationPhysicalPath, filePath));