private static bool IsPathWithinAppRoot(HttpContext context, string path) { Uri uri; if (!Uri.TryCreate(path, UriKind.Absolute, out uri)) { return(HttpRuntime.IsPathWithinAppRoot(path)); } if (!uri.IsLoopback && !string.Equals(context.Request.Url.Host, uri.Host, StringComparison.OrdinalIgnoreCase)) { return(false); } return(HttpRuntime.IsPathWithinAppRoot(uri.AbsolutePath)); }
public override void Initialize(string name, NameValueCollection config) { Debug.Trace("TemplatedMailWebEventProvider", "Initializing: name=" + name); ProviderUtil.GetAndRemoveStringAttribute(config, "template", name, ref _templateUrl); if (_templateUrl == null) { throw new ConfigurationErrorsException(SR.GetString(SR.Provider_missing_attribute, "template", name)); } _templateUrl = _templateUrl.Trim(); if (_templateUrl.Length == 0) { throw new ConfigurationErrorsException(SR.GetString(SR.Invalid_provider_attribute, "template", name, _templateUrl)); } if (!UrlPath.IsRelativeUrl(_templateUrl)) { throw new ConfigurationErrorsException(SR.GetString(SR.Invalid_mail_template_provider_attribute, "template", name, _templateUrl)); } _templateUrl = UrlPath.Combine(HttpRuntime.AppDomainAppVirtualPathString, _templateUrl); // VSWhidbey 440081: Guard against templates outside the AppDomain path if (!HttpRuntime.IsPathWithinAppRoot(_templateUrl)) { throw new ConfigurationErrorsException(SR.GetString(SR.Invalid_mail_template_provider_attribute, "template", name, _templateUrl)); } ProviderUtil.GetAndRemoveBooleanAttribute(config, "detailedTemplateErrors", name, ref _detailedTemplateErrors); base.Initialize(name, config); }
public override void Initialize(string name, NameValueCollection config) { ProviderUtil.GetAndRemoveStringAttribute(config, "template", name, ref this._templateUrl); if (this._templateUrl == null) { throw new ConfigurationErrorsException(System.Web.SR.GetString("Provider_missing_attribute", new object[] { "template", name })); } this._templateUrl = this._templateUrl.Trim(); if (this._templateUrl.Length == 0) { throw new ConfigurationErrorsException(System.Web.SR.GetString("Invalid_provider_attribute", new object[] { "template", name, this._templateUrl })); } if (!System.Web.Util.UrlPath.IsRelativeUrl(this._templateUrl)) { throw new ConfigurationErrorsException(System.Web.SR.GetString("Invalid_mail_template_provider_attribute", new object[] { "template", name, this._templateUrl })); } this._templateUrl = System.Web.Util.UrlPath.Combine(HttpRuntime.AppDomainAppVirtualPathString, this._templateUrl); if (!HttpRuntime.IsPathWithinAppRoot(this._templateUrl)) { throw new ConfigurationErrorsException(System.Web.SR.GetString("Invalid_mail_template_provider_attribute", new object[] { "template", name, this._templateUrl })); } ProviderUtil.GetAndRemoveBooleanAttribute(config, "detailedTemplateErrors", name, ref this._detailedTemplateErrors); base.Initialize(name, config); }