I was recently made aware of a peculiar bug in BlogEngine.NET that would delete all posts, comments and pages. Now, this specific issue is not new, but it was new to me so I thought I would share it with you. Maybe it’s new to you too.
The scenario is extremely rare and that’s why I’ve never come across it before. Here’s the step to reproduce this issue:
- Sign in to your BlogEngine.NET installation using Internet Explorer.
- Open Microsoft Visio and use it’s reverse engineering to generate a sitemap of the blog.
- All your posts, comments and pages are now deleted.
The reason you need to use Internet Explorer is that Visio and Internet Explorer share the same cookie container behind the scenes. The cookie you got when you signed in using Internet Explorer is still present when you open Visio and therefore you are still signed in when you use Visio.
Ok, so now you are signed in using Visio and you start Visio’s crawling feature and point it to your blog address. All the delete-links under each post, comment or page gets crawled and thereby you delete them all.
It’s very easy to protect against this kind of bug. Just change the delete-links. This is an example of an unprotected link:
<a href="?delete=1234" onclick="return confirm('Are you sure?')">Delete</a>
And this is the protected version
<a href="#" onclick="if (confirm('Are you sure?')) location.href='?delete=1234'">Delete</a>
The point is that if you expose delete-links on your page; make sure they are protected from Visio and other applications that share cookie container with Internet Explorer.
FYI, this has been corrected in the upcoming 1.2.5 release of BlogEngine.NET due in about a week.