From 8d382fb9b72f705d2ebdcad02ec23742bfbac1ed Mon Sep 17 00:00:00 2001
From: Ondrej Pialek <ondrej@pialek.eu>
Date: Tue, 23 Apr 2019 16:37:37 +0200
Subject: [PATCH 1/3] Backoffice session timeout on custom-URL backoffices
 leads to high browser CPU and self-inflicted backend DDoS (#5210)

---
 .../common/security/securityinterceptor.js    | 33 +++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/Umbraco.Web.UI.Client/src/common/security/securityinterceptor.js b/src/Umbraco.Web.UI.Client/src/common/security/securityinterceptor.js
index b283a1fec8..2f998e351e 100644
--- a/src/Umbraco.Web.UI.Client/src/common/security/securityinterceptor.js
+++ b/src/Umbraco.Web.UI.Client/src/common/security/securityinterceptor.js
@@ -44,21 +44,28 @@ angular.module('umbraco.security.interceptor')
                         return promise;
                     }
 
-                    //A 401 means that the user is not logged in
-                    if (originalResponse.status === 401 && !originalResponse.config.url.endsWith("umbraco/backoffice/UmbracoApi/Authentication/GetCurrentUser")) {
+                    if (originalResponse.status === 401) {
 
-                      var userService = $injector.get('userService'); // see above
+                        //A 401 means that the user is not logged in
 
-                      //Associate the user name with the retry to ensure we retry for the right user
-                      promise = userService.getCurrentUser()
-                        .then(function (user) {
-                          var userName = user ? user.name : null;
-                          //The request bounced because it was not authorized - add a new request to the retry queue
-                          return queue.pushRetryFn('unauthorized-server', userName, function retryRequest() {
-                            // We must use $injector to get the $http service to prevent circular dependency
-                            return $injector.get('$http')(originalResponse.config);
-                          });
-                        });
+                        //avoid an infinite loop
+                        var umbRequestHelper = $injector.get('umbRequestHelper');
+                        var getCurrentUserPath = umbRequestHelper.getApiUrl("authenticationApiBaseUrl", "GetCurrentUser");
+                        if (!originalResponse.config.url.endsWith(getCurrentUserPath)) {
+
+                            var userService = $injector.get('userService'); // see above
+
+                            //Associate the user name with the retry to ensure we retry for the right user
+                            promise = userService.getCurrentUser()
+                                .then(function (user) {
+                                    var userName = user ? user.name : null;
+                                    //The request bounced because it was not authorized - add a new request to the retry queue
+                                    return queue.pushRetryFn('unauthorized-server', userName, function retryRequest() {
+                                        // We must use $injector to get the $http service to prevent circular dependency
+                                        return $injector.get('$http')(originalResponse.config);
+                                    });
+                                });
+                        }
                     }
                     else if (originalResponse.status === 404) {
 

From 07684bb1d6591923adde064618f5ea132855c746 Mon Sep 17 00:00:00 2001
From: Kenn Jacobsen <post@kennjacobsen.dk>
Date: Fri, 12 Apr 2019 14:52:38 +0200
Subject: [PATCH 2/3] Fix "sort by document type" in content listviews

---
 .../Persistence/Repositories/VersionableRepositoryBase.cs       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Umbraco.Core/Persistence/Repositories/VersionableRepositoryBase.cs b/src/Umbraco.Core/Persistence/Repositories/VersionableRepositoryBase.cs
index 5cbe84f780..735b51829d 100644
--- a/src/Umbraco.Core/Persistence/Repositories/VersionableRepositoryBase.cs
+++ b/src/Umbraco.Core/Persistence/Repositories/VersionableRepositoryBase.cs
@@ -703,6 +703,8 @@ ORDER BY contentNodeId, versionId, propertytypeid
                 // Members only
                 case "USERNAME":
                     return "cmsMember.LoginName";
+                case "CONTENTTYPEALIAS":
+                    return "cmsContentType.alias";
                 default:
                     //ensure invalid SQL cannot be submitted
                     return Regex.Replace(orderBy, @"[^\w\.,`\[\]@-]", "");

From b367ae6c80f04a023e09d44fa33001da0ae2a970 Mon Sep 17 00:00:00 2001
From: Kenn Jacobsen <post@kennjacobsen.dk>
Date: Fri, 12 Apr 2019 19:30:37 +0200
Subject: [PATCH 3/3] Fix "sort by document type" in media listviews

---
 src/Umbraco.Core/Persistence/Repositories/MediaRepository.cs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Core/Persistence/Repositories/MediaRepository.cs b/src/Umbraco.Core/Persistence/Repositories/MediaRepository.cs
index 51d1cd2bd2..2d2fce2203 100644
--- a/src/Umbraco.Core/Persistence/Repositories/MediaRepository.cs
+++ b/src/Umbraco.Core/Persistence/Repositories/MediaRepository.cs
@@ -95,7 +95,9 @@ namespace Umbraco.Core.Persistence.Repositories
                 .InnerJoin<ContentDto>(SqlSyntax)
                 .On<ContentVersionDto, ContentDto>(SqlSyntax, left => left.NodeId, right => right.NodeId)
                 .InnerJoin<NodeDto>(SqlSyntax)
-                .On<ContentDto, NodeDto>(SqlSyntax, left => left.NodeId, right => right.NodeId);
+                .On<ContentDto, NodeDto>(SqlSyntax, left => left.NodeId, right => right.NodeId)
+                .InnerJoin<ContentTypeDto>(SqlSyntax)
+                .On<ContentTypeDto, ContentDto>(SqlSyntax, left => left.NodeId, right => right.ContentTypeId);
 
             if (includeFilePaths)
             {