BE 3.0 Security Issue Update

Topics: Business Logic Layer
Dec 16, 2014 at 5:44 PM
Reading this link - http://dotnetblogengine.net/post/Update-3110-With-Security-Patch.aspx

The instructions say to deposit the listed .cs file in the AppCode\Extensions folder (I can't auto update to 3.1 due to too many custom changes).

But, just to verify - there is no AppCode\Extensions folder, so I am assuming the post actually means to deposit the code in the Custom\Extensions folder, correct?

This alone should resolve this traversal vulnerability in 3.0?
Coordinator
Dec 16, 2014 at 6:51 PM
Post says "for older versions", where appcode/extensions exist.
If you use new version with customizations, you probably need to make changes to the code in image and file handlers and recompile. Or compile extension into DLL - it is no longer website and any .cs files in custom/extensions will be ignored.
Dec 17, 2014 at 2:20 PM
Thanks.

I probably should have been more clear - I haven't deployed 3.0 yet, it's only on my dev box, so I wasn't planning on dropping the .cs file onto my file server. I was just asking if the build process will automatically pick up the BlogTraversal.cs file in the Custom\Extensions folder, and compile it into the DLL that I will eventually deploy. (I'm not familiar with extensions since I don't use them.)
Coordinator
Dec 18, 2014 at 4:58 AM
As long as you have compiled application, this should work no matter where you put extension file. It is just a class with attribute to mark it as "extension".