fix CVE-2022-41418

Author: tree-chtsec

BlogEngine/BlogEngine.Core/Data/UsersRepository.cs

@@ -98,6 +98,9 @@ public BlogUser Add(BlogUser user)
             if (!Security.IsAuthorizedTo(Rights.CreateNewUsers))
                 throw new UnauthorizedAccessException();
 
+            if (user.UserName.Contains("/") || user.UserName.Contains(@"\"))
+                throw new ApplicationException("Error adding new user; Invalid character detected in UserName");
+
             // create user
             var usr = Membership.CreateUser(user.UserName, user.Password, user.Email);
             if (usr == null)

BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs

@@ -64,6 +64,8 @@ public HttpResponseMessage Post(string action, string dirPath = "")
                     dir = BlogService.GetDirectory("/avatars");
                     var dot = fileName.LastIndexOf(".");
                     var ext = dot > 0 ? fileName.Substring(dot) : "";
+                    if (User.Identity.Name.Contains("/") || User.Identity.Name.Contains(@"\"))
+                        throw new ApplicationException("Invalid character detected in UserName");
                     var profileFileName = User.Identity.Name + ext;
 
                     var imgPath = HttpContext.Current.Server.MapPath(dir.FullPath + "/" + profileFileName);
@@ -157,4 +159,4 @@ private void UploadVideo(string virtualFolder, HttpPostedFile file, string fileN
     }
 
     #endregion
-}
+}