GitHub-workflow-APP
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/API/MetaWeblog/XMLRPCRequest.cs‎
Lines changed: 2 additions & 2 deletions b/‎BlogEngine/BlogEngine.Core/API/MetaWeblog/XMLRPCRequest.cs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/BlogSettings.cs‎
Lines changed: 5 additions & 5 deletions b/‎BlogEngine/BlogEngine.Core/BlogSettings.cs‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Data/FileManagerRepository.cs‎
Lines changed: 2 additions & 0 deletions b/‎BlogEngine/BlogEngine.Core/Data/FileManagerRepository.cs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Data/Models/SelectOption.cs‎
Lines changed: 4 additions & 0 deletions b/‎BlogEngine/BlogEngine.Core/Data/Models/SelectOption.cs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Extensions.cs‎
Lines changed: 22 additions & 0 deletions b/‎BlogEngine/BlogEngine.Core/Extensions.cs‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Properties/AssemblyInfo.cs‎
Lines changed: 3 additions & 3 deletions b/‎BlogEngine/BlogEngine.Core/Properties/AssemblyInfo.cs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Services/Security/Security.cs‎
Lines changed: 14 additions & 4 deletions b/‎BlogEngine/BlogEngine.Core/Services/Security/Security.cs‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Services/Syndication/SyndicationGenerator.cs‎
Lines changed: 4 additions & 4 deletions b/‎BlogEngine/BlogEngine.Core/Services/Syndication/SyndicationGenerator.cs‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎BlogEngine/BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs‎
Lines changed: 2 additions & 2 deletions b/‎BlogEngine/BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs‎
Lines changed: 2 additions & 2 deletions
@@ -186,3 +186,5 @@ BlogEngine/.vs/
 
 # Default extensions data
 BlogEngine/BlogEngine.NET/App_Data/datastore/extensions/*.xml
+/.vs/slnx.sqlite
+/.vs/BlogEngine.NET/config/applicationhost.config
@@ -327,7 +327,7 @@ private static MWAPost GetPost(XmlNode node)
         /// </param>
         private void LoadXmlRequest(string xml)
         {
-            var request = new XmlDocument();
+            var request = new XmlDocument() { XmlResolver = null };
             try
             {
                 if (!(xml.StartsWith("<?xml") || xml.StartsWith("<method")))
@@ -505,4 +505,4 @@ private static string ParseRequest(HttpContext context)
 
         #endregion
     }
-}
+}
@@ -420,27 +420,27 @@ public string Theme
                     var request = context.Request;
                     if (request.QueryString["theme"] != null)
                     {
-                        return request.QueryString["theme"];
+                        return request.QueryString["theme"].SanitizePath();
                     }
 
                     var cookie = request.Cookies[this.ThemeCookieName];
                     if (cookie != null)
                     {
-                        return cookie.Value;
+                        return cookie.Value.SanitizePath();
                     }
 
                     if (Utils.ShouldForceMainTheme(request))
                     {
-                        return this.configuredTheme;
+                        return this.configuredTheme.SanitizePath();
                     }
                 }
 
-                return this.configuredTheme;
+                return this.configuredTheme.SanitizePath();
             }
 
             set
             {
-                this.configuredTheme = String.IsNullOrEmpty(value) ? String.Empty : value;
+                this.configuredTheme = String.IsNullOrEmpty(value) ? String.Empty : value.SanitizePath();
             }
         }
 
 
@@ -18,6 +18,8 @@ public IEnumerable<FileInstance> Find(int take = 10, int skip = 0, string path =
             var rwr = Utils.RelativeWebRoot;
             var responsePath = "root";
 
+            path = path.SanitizePath();
+
             if(string.IsNullOrEmpty(path))
                 path = Blog.CurrentInstance.StorageLocation + Utils.FilesFolder;
 
 
@@ -14,6 +14,10 @@ public class SelectOption
         /// </summary>
         public string OptionValue { get; set; }
         /// <summary>
+        /// Option Summary
+        /// </summary>
+        public string OptionSummary { get; set; }
+        /// <summary>
         /// Is option selected
         /// </summary>
         public bool IsSelected { get; set; }
 
@@ -92,5 +92,27 @@ public static bool TryParse<T>(this string theString, out T output)
 
             return success;
         }
+
+        /// <summary>
+        /// Sanitize path by removing invalid characters. Valid path should look similar to "path/to/sub/folder"
+        /// </summary>
+        /// <param name="str">String to sanitize</param>
+        /// <param name="root">Optionally validate datastore root</param>
+        /// <returns>String out</returns>
+        public static string SanitizePath(this string str, string root = "")
+        {
+            if (str.Contains(".."))
+                return "";
+
+            if (str.StartsWith("~/") && !string.IsNullOrEmpty(root) && !str.StartsWith(root))
+                return "";
+
+            str = str.Replace(".", "").Replace("\\", "").Replace("%2F", "");
+
+            if (str.Contains("//"))
+                return "";
+
+            return str;
+        }
     }
 }
@@ -13,11 +13,11 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
 [assembly: AssemblyProduct("BlogEngine.NET")]
-[assembly: AssemblyCopyright("Copyright @ 2007-2017")]
+[assembly: AssemblyCopyright("Copyright @ 2007-2019")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 [assembly: CLSCompliant(false)]
 [assembly: ComVisible(false)]
 [assembly: AllowPartiallyTrustedCallers]
-[assembly: AssemblyVersion("3.3.6.0")]
-[assembly: SecurityRules(SecurityRuleSet.Level1)]
+[assembly: AssemblyVersion("3.3.8.0")]
+[assembly: SecurityRules(SecurityRuleSet.Level1)]
@@ -185,10 +185,7 @@ public static bool AuthenticateUser(string username, string password, bool remem
                     string returnUrl = context.Request.QueryString["returnUrl"];
 
                     // ignore Return URLs not beginning with a forward slash, such as remote sites.
-                    if (string.IsNullOrWhiteSpace(returnUrl) || !returnUrl.StartsWith("/"))
-                        returnUrl = null;
-
-                    if (!string.IsNullOrWhiteSpace(returnUrl))
+                    if (Security.IsLocalUrl(returnUrl))
                     {
                         context.Response.Redirect(returnUrl);
                     }
@@ -204,6 +201,19 @@ public static bool AuthenticateUser(string username, string password, bool remem
             return false;
         }
 
+        private static bool IsLocalUrl(string url)
+        {
+            if (string.IsNullOrWhiteSpace(url))
+            {
+                return false;
+            }
+            else
+            {
+                return ((url[0] == '/' && (url.Length == 1 || (url[1] != '/' && url[1] != '\\'))) || // "/" or "/foo" but not "//" or "/\" 
+						(url.Length > 1 && url[0] == '~' && url[1] == '/')); // "~/" or "~/foo"
+            }
+        }
+
         private const string AUTH_TKT_USERDATA_DELIMITER = "-|-";
 
         private static string SecurityValidationKey
 
@@ -35,7 +35,7 @@ public class SyndicationGenerator
         /// <summary>
         ///     Private member to hold the URI of the syndication generation utility.
         /// </summary>
-        private static readonly Uri GeneratorUri = new Uri("http://dotnetblogengine.net/");
+        private static readonly Uri GeneratorUri = new Uri("https://blogengine.io/");
 
         /// <summary>
         ///     Private member to hold the version of the syndication generation utility.
@@ -135,7 +135,7 @@ public static Dictionary<string, string> SupportedNamespaces
                                 { "wfw", "http://wellformedweb.org/CommentAPI/" },
                                 { "slash", "http://purl.org/rss/1.0/modules/slash/" },
                                 { "geo", "http://www.w3.org/2003/01/geo/wgs84_pos#" },
-                                { "betag", "http://dotnetblogengine.net/schemas/tags"}
+                                { "betag", "https://blogengine.io/schemas/tags"}
                             });
             }
         }
@@ -536,7 +536,7 @@ private static void WriteAtomEntry(XmlWriter writer, IPublishable publishable)
             {
                 foreach (var tag in publishable.Tags)
                 {
-                    writer.WriteElementString("betag", "tag", "http://dotnetblogengine.net/schemas/tags", tag);
+                    writer.WriteElementString("betag", "tag", "https://blogengine.io/schemas/tags", tag);
                 }
             }
 
@@ -725,7 +725,7 @@ private static void WriteRssItem(XmlWriter writer, IPublishable publishable)
             {
                 foreach (var tag in publishable.Tags)
                 {
-                    writer.WriteElementString("betag", "tag", "http://dotnetblogengine.net/schemas/tags", tag);
+                    writer.WriteElementString("betag", "tag", "https://blogengine.io/schemas/tags", tag);
                 }
             }
 
 
@@ -337,7 +337,7 @@ private static XmlDocument RetrieveXmlDocument(HttpContext context)
                 context.Response.End();
             }
 
-            var doc = new XmlDocument();
+            var doc = new XmlDocument() { XmlResolver = null };
             doc.LoadXml(xml);
             return doc;
         }
@@ -432,4 +432,4 @@ private void ExamineSourcePage(string sourceUrl, string targetUrl)
 
         #endregion
     }
-}
+}
Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ private static MWAPost GetPost(XmlNode node)`
`327`	`327`	`/// </param>`
`328`	`328`	`private void LoadXmlRequest(string xml)`
`329`	`329`	`{`
`330`		`- var request = new XmlDocument();`
	`330`	`+ var request = new XmlDocument() { XmlResolver = null };`
`331`	`331`	`try`
`332`	`332`	`{`
`333`	`333`	`if (!(xml.StartsWith("<?xml") \|\| xml.StartsWith("<method")))`
`@@ -505,4 +505,4 @@ private static string ParseRequest(HttpContext context)`
`505`	`505`
`506`	`506`	`#endregion`
`507`	`507`	`}`
`508`		`-}`
	`508`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -420,27 +420,27 @@ public string Theme`
`420`	`420`	`var request = context.Request;`
`421`	`421`	`if (request.QueryString["theme"] != null)`
`422`	`422`	`{`
`423`		`- return request.QueryString["theme"];`
	`423`	`+ return request.QueryString["theme"].SanitizePath();`
`424`	`424`	`}`
`425`	`425`
`426`	`426`	`var cookie = request.Cookies[this.ThemeCookieName];`
`427`	`427`	`if (cookie != null)`
`428`	`428`	`{`
`429`		`- return cookie.Value;`
	`429`	`+ return cookie.Value.SanitizePath();`
`430`	`430`	`}`
`431`	`431`
`432`	`432`	`if (Utils.ShouldForceMainTheme(request))`
`433`	`433`	`{`
`434`		`- return this.configuredTheme;`
	`434`	`+ return this.configuredTheme.SanitizePath();`
`435`	`435`	`}`
`436`	`436`	`}`
`437`	`437`
`438`		`- return this.configuredTheme;`
	`438`	`+ return this.configuredTheme.SanitizePath();`
`439`	`439`	`}`
`440`	`440`
`441`	`441`	`set`
`442`	`442`	`{`
`443`		`- this.configuredTheme = String.IsNullOrEmpty(value) ? String.Empty : value;`
	`443`	`+ this.configuredTheme = String.IsNullOrEmpty(value) ? String.Empty : value.SanitizePath();`
`444`	`444`	`}`
`445`	`445`	`}`
`446`	`446`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public class SyndicationGenerator`
`35`	`35`	`/// <summary>`
`36`	`36`	`/// Private member to hold the URI of the syndication generation utility.`
`37`	`37`	`/// </summary>`
`38`		`- private static readonly Uri GeneratorUri = new Uri("http://dotnetblogengine.net/");`
	`38`	`+ private static readonly Uri GeneratorUri = new Uri("https://blogengine.io/");`
`39`	`39`
`40`	`40`	`/// <summary>`
`41`	`41`	`/// Private member to hold the version of the syndication generation utility.`
`@@ -135,7 +135,7 @@ public static Dictionary<string, string> SupportedNamespaces`
`135`	`135`	`{ "wfw", "http://wellformedweb.org/CommentAPI/" },`
`136`	`136`	`{ "slash", "http://purl.org/rss/1.0/modules/slash/" },`
`137`	`137`	`{ "geo", "http://www.w3.org/2003/01/geo/wgs84_pos#" },`
`138`		`- { "betag", "http://dotnetblogengine.net/schemas/tags"}`
	`138`	`+ { "betag", "https://blogengine.io/schemas/tags"}`
`139`	`139`	`});`
`140`	`140`	`}`
`141`	`141`	`}`
`@@ -536,7 +536,7 @@ private static void WriteAtomEntry(XmlWriter writer, IPublishable publishable)`
`536`	`536`	`{`
`537`	`537`	`foreach (var tag in publishable.Tags)`
`538`	`538`	`{`
`539`		`- writer.WriteElementString("betag", "tag", "http://dotnetblogengine.net/schemas/tags", tag);`
	`539`	`+ writer.WriteElementString("betag", "tag", "https://blogengine.io/schemas/tags", tag);`
`540`	`540`	`}`
`541`	`541`	`}`
`542`	`542`
`@@ -725,7 +725,7 @@ private static void WriteRssItem(XmlWriter writer, IPublishable publishable)`
`725`	`725`	`{`
`726`	`726`	`foreach (var tag in publishable.Tags)`
`727`	`727`	`{`
`728`		`- writer.WriteElementString("betag", "tag", "http://dotnetblogengine.net/schemas/tags", tag);`
	`728`	`+ writer.WriteElementString("betag", "tag", "https://blogengine.io/schemas/tags", tag);`
`729`	`729`	`}`
`730`	`730`	`}`
`731`	`731`
Original file line number	Diff line number	Diff line change
`@@ -337,7 +337,7 @@ private static XmlDocument RetrieveXmlDocument(HttpContext context)`
`337`	`337`	`context.Response.End();`
`338`	`338`	`}`
`339`	`339`
`340`		`- var doc = new XmlDocument();`
	`340`	`+ var doc = new XmlDocument() { XmlResolver = null };`
`341`	`341`	`doc.LoadXml(xml);`
`342`	`342`	`return doc;`
`343`	`343`	`}`
`@@ -432,4 +432,4 @@ private void ExamineSourcePage(string sourceUrl, string targetUrl)`
`432`	`432`
`433`	`433`	`#endregion`
`434`	`434`	`}`
`435`		`-}`
	`435`	`+}`