Merge pull request #247 from 0xLanks/fix-security-issues

Fixed security issues

Author: rxtur

BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs

@@ -53,13 +53,15 @@ public string XmlData
         /// <summary>
         ///     Gets an XmlReader that converts BlogML data saved as string into XML stream
         /// </summary>
-        private XmlTextReader XmlReader
+        private XmlReader XmlReader
         {
             get
             {
                 var byteArray = Encoding.UTF8.GetBytes(this.xmlData);
                 var stream = new MemoryStream(byteArray);
-                return new XmlTextReader(stream);
+                XmlReaderSettings settings = new XmlReaderSettings();
+                settings.XmlResolver = null;
+                return XmlReader.Create(stream, settings);
             }
         }
 

BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs

@@ -1,4 +1,5 @@
-using BlogEngine.Core.Data.Contracts;
+using BlogEngine.Core;
+using BlogEngine.Core.Data.Contracts;
 using BlogEngine.Core.FileSystem;
 using BlogEngine.Core.Providers;
 using System;
@@ -24,6 +25,11 @@ public IEnumerable<FileInstance> Get(int take = 10, int skip = 0, string path =
     [HttpPut]
     public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
     {
+        if (!Security.IsAdministrator)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
         if (items == null || items.Count == 0)
             throw new HttpResponseException(HttpStatusCode.ExpectationFailed);
 
@@ -36,10 +42,10 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
                 if (item.IsChecked)
                 {
                     if(item.FileType == FileType.File || item.FileType == FileType.Image)
-                        BlogService.DeleteFile(item.FullPath);
+                        BlogService.DeleteFile(Extensions.SanitizePath(item.FullPath));
 
                     if (item.FileType == FileType.Directory)
-                        BlogService.DeleteDirectory(item.FullPath);
+                        BlogService.DeleteDirectory(Extensions.SanitizePath(item.FullPath));
                 }
             }
         }
@@ -49,7 +55,11 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
     [HttpPut]
     public HttpResponseMessage AddFolder(FileInstance folder)
     {
-        BlogService.CreateDirectory(folder.FullPath + "/" + folder.Name);
+        if (!Security.IsAdministrator)
+        {
+            throw new UnauthorizedAccessException();
+        }
+        BlogService.CreateDirectory(Extensions.SanitizePath(folder.FullPath) + "/" + Extensions.SanitizePath(folder.Name));
         return Request.CreateResponse(HttpStatusCode.OK);
     }
 

BlogEngine/BlogEngine.NET/Global.asax

@@ -12,4 +12,17 @@
     {
         BlogEngineConfig.SetCulture(sender, e);
     }
+
+    protected void Application_PreSendRequestHeaders ()
+    {
+        var httpContext = HttpContext.Current;
+        if (httpContext != null) {
+            var cookieValueSuffix = "; SameSite=Strict";
+            var cookies = httpContext.Response.Cookies;
+            for (var i = 0; i < cookies.Count; i++)
+            {
+                var cookie = cookies[i]; cookie.Value += cookieValueSuffix;
+            }
+        }
+    }
 </script>