Prevent use of .. or : in file path

[rockfordlhotka]

Closes #3551

[rockfordlhotka]

@BaHXeLiSiHg fyi, I'm requesting your review here because the code being affected exists due to a PR we worked on quite some time ago, to enable loading/unloading assemblies in memory. The result is a potential security issue that's been uncovered, and this is an attempt to resolve that by preventing loading assemblies from outside the app's bin directory tree.

[BaHXeLiSiHg]

Yep, I'm okay with that.

[SamIntruder]

Hi folks,
Do you know if this issue was ever assigned a CVE identifier, and if not, could one be assigned (probably most easily using Githubs system for it, as the project has the module enabled already?)

[rockfordlhotka]

I've never explored that concept @sampizzey, would this be in GH or NuGet?

[ajohnstone-ks]

@rockfordlhotka I just got an email b/c one of my repo's is apparently using a version of Csla which is vunerable.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-28698

Was this fix ever backported? It seems like it should be given the effort required to move to Csla 6+.

[rockfordlhotka]

@rockfordlhotka I just got an email b/c one of my repo's is apparently using a version of Csla which is vunerable.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-28698

Was this fix ever backported? It seems like it should be given the effort required to move to Csla 6+.

#4133

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.