Merge branch 'master' of github.com:BlogEngine/BlogEngine.NET

farzindev · farzindev · commit 15164eae6eac · 2023-01-12T22:40:55.000+03:30
diff --git a/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs b/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs
@@ -98,6 +98,9 @@ public BlogUser Add(BlogUser user)
             if (!Security.IsAuthorizedTo(Rights.CreateNewUsers))
                 throw new UnauthorizedAccessException();
 
+            if (user.UserName.Contains("/") || user.UserName.Contains(@"\"))
+                throw new ApplicationException("Error adding new user; Invalid character detected in UserName");
+
             // create user
             var usr = Membership.CreateUser(user.UserName, user.Password, user.Email);
             if (usr == null)
diff --git a/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs b/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs
@@ -28,7 +28,7 @@ private static string BlogAbsolutePath(string VirtualPath)
         private static string RelativeFilePath(string VirtualPath)
         {
             VirtualPath = VirtualPath.Replace("//","/").Trim();
-            if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()))
+            if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()+"/") || VirtualPath.ToLower() == FileContainerRoot.ToLower())
                 return VirtualPath;
 
             // ex: Oct 18 2012, added this to handle the case on the File Manager where if
diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs
@@ -64,6 +64,8 @@ public HttpResponseMessage Post(string action, string dirPath = "")
                     dir = BlogService.GetDirectory("/avatars");
                     var dot = fileName.LastIndexOf(".");
                     var ext = dot > 0 ? fileName.Substring(dot) : "";
+                    if (User.Identity.Name.Contains("/") || User.Identity.Name.Contains(@"\"))
+                        throw new ApplicationException("Invalid character detected in UserName");
                     var profileFileName = User.Identity.Name + ext;
 
                     var imgPath = HttpContext.Current.Server.MapPath(dir.FullPath + "/" + profileFileName);
@@ -157,4 +159,4 @@ private void UploadVideo(string virtualFolder, HttpPostedFile file, string fileN
     }
 
     #endregion
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ private static string BlogAbsolutePath(string VirtualPath)`
`28`	`28`	`private static string RelativeFilePath(string VirtualPath)`
`29`	`29`	`{`
`30`	`30`	`VirtualPath = VirtualPath.Replace("//","/").Trim();`
`31`		`- if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()))`
	`31`	`+ if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()+"/") \|\| VirtualPath.ToLower() == FileContainerRoot.ToLower())`
`32`	`32`	`return VirtualPath;`
`33`	`33`
`34`	`34`	`// ex: Oct 18 2012, added this to handle the case on the File Manager where if`