Merge branch 'master' of github.com:BlogEngine/BlogEngine.NET

Wanrick · Jan 12, 2023 · 15164ea · 15164ea
2 parents 9742bb7 + 9a37bd1
commit 15164ea
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs b/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs
@@ -98,6 +98,9 @@ public BlogUser Add(BlogUser user)
             if (!Security.IsAuthorizedTo(Rights.CreateNewUsers))
                 throw new UnauthorizedAccessException();
 
+            if (user.UserName.Contains("/") || user.UserName.Contains(@"\"))
+                throw new ApplicationException("Error adding new user; Invalid character detected in UserName");
+
             // create user
             var usr = Membership.CreateUser(user.UserName, user.Password, user.Email);
             if (usr == null)

diff --git a/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs b/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs
@@ -28,7 +28,7 @@ private static string BlogAbsolutePath(string VirtualPath)
         private static string RelativeFilePath(string VirtualPath)
         {
             VirtualPath = VirtualPath.Replace("//","/").Trim();
-            if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()))
+            if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()+"/") || VirtualPath.ToLower() == FileContainerRoot.ToLower())
                 return VirtualPath;
 
             // ex: Oct 18 2012, added this to handle the case on the File Manager where if

diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs
@@ -64,6 +64,8 @@ public HttpResponseMessage Post(string action, string dirPath = "")
                     dir = BlogService.GetDirectory("/avatars");
                     var dot = fileName.LastIndexOf(".");
                     var ext = dot > 0 ? fileName.Substring(dot) : "";
+                    if (User.Identity.Name.Contains("/") || User.Identity.Name.Contains(@"\"))
+                        throw new ApplicationException("Invalid character detected in UserName");
                     var profileFileName = User.Identity.Name + ext;
 
                     var imgPath = HttpContext.Current.Server.MapPath(dir.FullPath + "/" + profileFileName);
@@ -157,4 +159,4 @@ private void UploadVideo(string virtualFolder, HttpPostedFile file, string fileN
     }
 
     #endregion
-}
+}