From 1ccc8cc161e76ac68cfc4ca6711e6bcba13b805b Mon Sep 17 00:00:00 2001 From: Shannon Date: Tue, 25 Jul 2017 19:40:30 +1000 Subject: [PATCH 1/2] U4-10123 Make sure the backoffice login is not susceptible to DOS attacks --- src/Umbraco.Web/Models/LoginModel.cs | 3 +- .../FormsAuthenticationSecureDataFormat.cs | 30 +++++++++++++------ 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/src/Umbraco.Web/Models/LoginModel.cs b/src/Umbraco.Web/Models/LoginModel.cs index 650fa067a3..5e6b2e5c18 100644 --- a/src/Umbraco.Web/Models/LoginModel.cs +++ b/src/Umbraco.Web/Models/LoginModel.cs @@ -10,7 +10,8 @@ namespace Umbraco.Web.Models public string Username { get; set; } [Required] - [DataMember(Name = "password", IsRequired = true)] + [DataMember(Name = "password", IsRequired = true)] + [StringLength(maximumLength:256)] public string Password { get; set; } } diff --git a/src/Umbraco.Web/Security/Identity/FormsAuthenticationSecureDataFormat.cs b/src/Umbraco.Web/Security/Identity/FormsAuthenticationSecureDataFormat.cs index 77e0fe9faf..457f9257b2 100644 --- a/src/Umbraco.Web/Security/Identity/FormsAuthenticationSecureDataFormat.cs +++ b/src/Umbraco.Web/Security/Identity/FormsAuthenticationSecureDataFormat.cs @@ -63,17 +63,29 @@ namespace Umbraco.Web.Security.Identity return null; } - var identity = new UmbracoBackOfficeIdentity(decrypt); - - var ticket = new AuthenticationTicket(identity, new AuthenticationProperties + try { - ExpiresUtc = decrypt.Expiration.ToUniversalTime(), - IssuedUtc = decrypt.IssueDate.ToUniversalTime(), - IsPersistent = decrypt.IsPersistent, - AllowRefresh = true - }); + var identity = new UmbracoBackOfficeIdentity(decrypt); - return ticket; + var ticket = new AuthenticationTicket(identity, new AuthenticationProperties + { + ExpiresUtc = decrypt.Expiration.ToUniversalTime(), + IssuedUtc = decrypt.IssueDate.ToUniversalTime(), + IsPersistent = decrypt.IsPersistent, + AllowRefresh = true + }); + + return ticket; + } + catch (JsonReaderException) + { + //catch this and return null if the json is invalid + //NOTE: This will happen when running on local host and developing on 7.6 and 7.7+ because 7.7 has a different + // auth ticket format. + return null; + } + + } } } \ No newline at end of file From 21f46d0a3c6c5affa60acbe792370dadd2199d9f Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Tue, 1 Aug 2017 09:16:39 +0200 Subject: [PATCH 2/2] Adds debug level logging for failed attempts to get filestream --- src/Umbraco.Core/PluginManager.cs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Core/PluginManager.cs b/src/Umbraco.Core/PluginManager.cs index a15613b024..fe9236c58c 100644 --- a/src/Umbraco.Core/PluginManager.cs +++ b/src/Umbraco.Core/PluginManager.cs @@ -484,13 +484,15 @@ namespace Umbraco.Core while (true) { try - { + { return new FileStream(path, fileMode, fileAccess, fileShare); } catch { if (--attempts == 0) - throw; + throw; + + LogHelper.Debug(string.Format("Attempted to get filestream for file {0} failed, {1} attempts left, pausing for {2} milliseconds", path, attempts, pauseMilliseconds)); Thread.Sleep(pauseMilliseconds); } }