Merge pull request BlogEngine#207 from irbishop/syndication-xxe

rxtur · web-flow · commit 3a293d6bdae0 · 2019-04-22T23:08:44.000-05:00
Set XmlResolver syndication.axd
diff --git a/BlogEngine/BlogEngine.Core/Web/HttpHandlers/SyndicationHandler.cs b/BlogEngine/BlogEngine.Core/Web/HttpHandlers/SyndicationHandler.cs
@@ -185,7 +185,7 @@ private static List<IPublishable> GenerateItemList(HttpContext context)
                         client.Encoding = Encoding.Default;
                         using (var stream = client.OpenRead(context.Request.QueryString["apml"]))
                         {
-                            var doc = new XmlDocument();
+                            var doc = new XmlDocument() { XmlResolver = null };
                             if (stream != null)
                             {
                                 doc.Load(stream);
@@ -397,4 +397,4 @@ private static void StopServing(HttpContext context)
 
         #endregion
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ private static List<IPublishable> GenerateItemList(HttpContext context)`
`185`	`185`	`client.Encoding = Encoding.Default;`
`186`	`186`	`using (var stream = client.OpenRead(context.Request.QueryString["apml"]))`
`187`	`187`	`{`
`188`		`- var doc = new XmlDocument();`
	`188`	`+ var doc = new XmlDocument() { XmlResolver = null };`
`189`	`189`	`if (stream != null)`
`190`	`190`	`{`
`191`	`191`	`doc.Load(stream);`
`@@ -397,4 +397,4 @@ private static void StopServing(HttpContext context)`
`397`	`397`
`398`	`398`	`#endregion`
`399`	`399`	`}`
`400`		`-}`
	`400`	`+}`