diff --git a/mRemoteNG/Themes/ThemeSerializer.cs b/mRemoteNG/Themes/ThemeSerializer.cs
index b483e2f1..cdd99293 100644
--- a/mRemoteNG/Themes/ThemeSerializer.cs
+++ b/mRemoteNG/Themes/ThemeSerializer.cs
@@ -16,6 +16,10 @@ namespace mRemoteNG.Themes
///
public static void SaveToXmlFile(ThemeInfo themeToSave, ThemeInfo baseTheme)
{
+ if (baseTheme.URI == null || baseTheme.URI.Contains("../") || baseTheme.URI.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
+ if (themeToSave.Name == null || themeToSave.Name.Contains("../") || themeToSave.Name.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
string oldURI = baseTheme.URI;
string directoryName = Path.GetDirectoryName(oldURI);
string toSaveURI = directoryName + Path.DirectorySeparatorChar + themeToSave.Name + ".vstheme";
@@ -34,6 +38,8 @@ namespace mRemoteNG.Themes
///
public static void UpdateThemeXMLValues(ThemeInfo themeToUpdate)
{
+ if (themeToUpdate.URI == null || themeToUpdate.URI.Contains("../") || themeToUpdate.URI.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
byte[] bytesIn = File.ReadAllBytes(themeToUpdate.URI);
MremoteNGPaletteManipulator manipulator = new(bytesIn, themeToUpdate.ExtendedPalette);
byte[] bytesOut = manipulator.mergePalette(themeToUpdate.ExtendedPalette);
@@ -48,6 +54,8 @@ namespace mRemoteNG.Themes
///
public static ThemeInfo LoadFromXmlFile(string filename, ThemeInfo defaultTheme = null)
{
+ if (filename == null || filename.Contains("../") || filename.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
byte[] bytes = File.ReadAllBytes(filename);
//Load the dockpanel part
MremoteNGThemeBase themeBaseLoad = new(bytes);