From 4033c72fef8b3d92e6329675ab40ce55beb32c9a Mon Sep 17 00:00:00 2001
From: 0xLanks <Administrator@test>
Date: Wed, 4 May 2022 21:41:03 -0700
Subject: [PATCH 1/3] Added 'SameSite=Strict' cookie attribute, reducing
 overall CSRF attack surface

---
 BlogEngine/BlogEngine.NET/Global.asax | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/BlogEngine/BlogEngine.NET/Global.asax b/BlogEngine/BlogEngine.NET/Global.asax
index 0056bc608..2fd043a71 100644
--- a/BlogEngine/BlogEngine.NET/Global.asax
+++ b/BlogEngine/BlogEngine.NET/Global.asax
@@ -12,4 +12,17 @@
     {
         BlogEngineConfig.SetCulture(sender, e);
     }
+
+    protected void Application_PreSendRequestHeaders ()
+    {
+        var httpContext = HttpContext.Current;
+        if (httpContext != null) {
+            var cookieValueSuffix = "; SameSite=Strict";
+            var cookies = httpContext.Response.Cookies;
+            for (var i = 0; i < cookies.Count; i++)
+            {
+                var cookie = cookies[i]; cookie.Value += cookieValueSuffix;
+            }
+        }
+    }
 </script>
\ No newline at end of file

From 16343de33f2f064ff9b9a27fceb168871ec6a3fd Mon Sep 17 00:00:00 2001
From: 0xLanks <Administrator@test>
Date: Wed, 4 May 2022 21:44:22 -0700
Subject: [PATCH 2/3] Fixed XXE vulnerability when importing a new blog

---
 .../Services/Syndication/BlogML/BlogReader.cs               | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs b/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs
index 8d81ad0ce..0ed4b4b58 100644
--- a/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs
+++ b/BlogEngine/BlogEngine.Core/Services/Syndication/BlogML/BlogReader.cs
@@ -53,13 +53,15 @@ public string XmlData
         /// <summary>
         ///     Gets an XmlReader that converts BlogML data saved as string into XML stream
         /// </summary>
-        private XmlTextReader XmlReader
+        private XmlReader XmlReader
         {
             get
             {
                 var byteArray = Encoding.UTF8.GetBytes(this.xmlData);
                 var stream = new MemoryStream(byteArray);
-                return new XmlTextReader(stream);
+                XmlReaderSettings settings = new XmlReaderSettings();
+                settings.XmlResolver = null;
+                return XmlReader.Create(stream, settings);
             }
         }
 

From 035bc377694aeb95df010cd98538a7e7f8424498 Mon Sep 17 00:00:00 2001
From: 0xLanks <Administrator@test>
Date: Wed, 4 May 2022 21:49:36 -0700
Subject: [PATCH 3/3] Fixed authorization controls on controller actions and
 added path sanitization preventing path traversal

---
 .../AppCode/Api/FileManagerController.cs       | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs
index cebca856a..e3fa41b96 100644
--- a/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs
+++ b/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs
@@ -1,4 +1,5 @@
-using BlogEngine.Core.Data.Contracts;
+using BlogEngine.Core;
+using BlogEngine.Core.Data.Contracts;
 using BlogEngine.Core.FileSystem;
 using BlogEngine.Core.Providers;
 using System;
@@ -24,6 +25,11 @@ public IEnumerable<FileInstance> Get(int take = 10, int skip = 0, string path =
     [HttpPut]
     public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
     {
+        if (!Security.IsAdministrator)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
         if (items == null || items.Count == 0)
             throw new HttpResponseException(HttpStatusCode.ExpectationFailed);
 
@@ -36,10 +42,10 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
                 if (item.IsChecked)
                 {
                     if(item.FileType == FileType.File || item.FileType == FileType.Image)
-                        BlogService.DeleteFile(item.FullPath);
+                        BlogService.DeleteFile(Extensions.SanitizePath(item.FullPath));
 
                     if (item.FileType == FileType.Directory)
-                        BlogService.DeleteDirectory(item.FullPath);
+                        BlogService.DeleteDirectory(Extensions.SanitizePath(item.FullPath));
                 }
             }
         }
@@ -49,7 +55,11 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
     [HttpPut]
     public HttpResponseMessage AddFolder(FileInstance folder)
     {
-        BlogService.CreateDirectory(folder.FullPath + "/" + folder.Name);
+        if (!Security.IsAdministrator)
+        {
+            throw new UnauthorizedAccessException();
+        }
+        BlogService.CreateDirectory(Extensions.SanitizePath(folder.FullPath) + "/" + Extensions.SanitizePath(folder.Name));
         return Request.CreateResponse(HttpStatusCode.OK);
     }