From b09bf518c67cb546e4da96ccf9776f9d854c7a0e Mon Sep 17 00:00:00 2001 From: Ben Palmer Date: Sun, 26 Aug 2018 17:12:07 +0100 Subject: [PATCH] U4-9237 Validate application parameter when getting application trees (#2315) --- src/Umbraco.Web/Trees/ApplicationTreeController.cs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Umbraco.Web/Trees/ApplicationTreeController.cs b/src/Umbraco.Web/Trees/ApplicationTreeController.cs index 37d880f262..be77cc67f9 100644 --- a/src/Umbraco.Web/Trees/ApplicationTreeController.cs +++ b/src/Umbraco.Web/Trees/ApplicationTreeController.cs @@ -3,7 +3,9 @@ using System.Globalization; using System.Linq; using System.Net; using System.Net.Http.Formatting; +using System.Text.RegularExpressions; using System.Threading.Tasks; +using System.Web; using System.Web.Http; using Umbraco.Core; using Umbraco.Core.Models; @@ -32,6 +34,8 @@ namespace Umbraco.Web.Trees [HttpQueryStringFilter("queryStrings")] public async Task GetApplicationTrees(string application, string tree, FormDataCollection queryStrings, bool onlyInitialized = true) { + application = application.CleanForXss(); + if (string.IsNullOrEmpty(application)) throw new HttpResponseException(HttpStatusCode.NotFound); var rootId = Constants.System.Root.ToString(CultureInfo.InvariantCulture); @@ -39,7 +43,7 @@ namespace Umbraco.Web.Trees //find all tree definitions that have the current application alias var appTrees = Services.ApplicationTreeService.GetApplicationTrees(application, onlyInitialized).ToArray(); - if (string.IsNullOrEmpty(tree) == false || appTrees.Length == 1) + if (string.IsNullOrEmpty(tree) == false || appTrees.Length == 1 || appTrees.Any() == false) { var apptree = string.IsNullOrEmpty(tree) == false ? appTrees.SingleOrDefault(x => x.Alias == tree)