Security related fixes to harder URL paths

rxtur · rxtur · commit 4be8bc4beadf · 2015-11-14T22:08:58.000-06:00
diff --git a/BlogEngine/BlogEngine.Core/Properties/AssemblyInfo.cs b/BlogEngine/BlogEngine.Core/Properties/AssemblyInfo.cs
@@ -19,5 +19,5 @@
 [assembly: CLSCompliant(false)]
 [assembly: ComVisible(false)]
 [assembly: AllowPartiallyTrustedCallers]
-[assembly: AssemblyVersion("3.1.3.8")]
+[assembly: AssemblyVersion("3.1.3.9")]
 [assembly: SecurityRules(SecurityRuleSet.Level1)]
diff --git a/BlogEngine/BlogEngine.Core/Web/HttpHandlers/Apml.cs b/BlogEngine/BlogEngine.Core/Web/HttpHandlers/Apml.cs
@@ -42,6 +42,9 @@ public bool IsReusable
         /// </param>
         public void ProcessRequest(HttpContext context)
         {
+            if (context.Request.FilePath.ToLower() != Utils.RelativeWebRoot + "apml.axd")
+                throw new HttpException(404, "File not found");
+
             context.Response.ContentType = "text/xml";
             WriteApmlDocument(context.Response.OutputStream);
         }
diff --git a/BlogEngine/BlogEngine.Core/Web/UrlRules.cs b/BlogEngine/BlogEngine.Core/Web/UrlRules.cs
@@ -195,6 +195,21 @@ public static void RewriteTag(HttpContext context, string url)
         /// <param name="url">The URL string.</param>
         public static void RewriteCalendar(HttpContext context, string url)
         {
+            // prevent fake URLs
+            // valid:   "/calendar/"
+            // valid:   "/calendar/default.aspx"
+            // invalid: "/fake-value/calendar/default.aspx"
+            // invalid: "/calendar/fake-value/default.aspx"
+
+            url = url.ToLower();
+            var validUrl = Utils.RelativeWebRoot.ToLower() + "calendar";
+            
+            if (!url.StartsWith(validUrl))
+                throw new HttpException(404, "File not found");
+            
+            if(url.Contains("default.aspx") && !url.Contains("calendar/default.aspx"))
+                throw new HttpException(404, "File not found");
+
             context.RewritePath(string.Format("{0}default.aspx?calendar=show", Utils.ApplicationRelativeWebRoot), false);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,9 @@ public bool IsReusable`
`42`	`42`	`/// </param>`
`43`	`43`	`public void ProcessRequest(HttpContext context)`
`44`	`44`	`{`
	`45`	`+ if (context.Request.FilePath.ToLower() != Utils.RelativeWebRoot + "apml.axd")`
	`46`	`+ throw new HttpException(404, "File not found");`
	`47`	`+`
`45`	`48`	`context.Response.ContentType = "text/xml";`
`46`	`49`	`WriteApmlDocument(context.Response.OutputStream);`
`47`	`50`	`}`