From df896af47672b37b70526492e197c98077ce7d1e Mon Sep 17 00:00:00 2001
From: Claus <claus@umbraco.com>
Date: Wed, 10 Jul 2019 12:58:15 +0200
Subject: [PATCH 1/3] adding build targets package.

---
 src/Umbraco.Web.UI/Umbraco.Web.UI.csproj | 2 ++
 src/Umbraco.Web.UI/packages.config       | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
index a0624a2dd7..646b86f665 100644
--- a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
+++ b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="12.0">
+  <Import Project="..\packages\MSBuild.Microsoft.VisualStudio.Web.targets.14.0.0.3\build\MSBuild.Microsoft.VisualStudio.Web.targets.props" Condition="Exists('..\packages\MSBuild.Microsoft.VisualStudio.Web.targets.14.0.0.3\build\MSBuild.Microsoft.VisualStudio.Web.targets.props')" />
   <Import Project="..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net45\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props" Condition="Exists('..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net45\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props')" />
   <Import Project="..\packages\Microsoft.Net.Compilers.1.3.2\build\Microsoft.Net.Compilers.props" Condition="Exists('..\packages\Microsoft.Net.Compilers.1.3.2\build\Microsoft.Net.Compilers.props')" />
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
@@ -1088,5 +1089,6 @@ xcopy "$(ProjectDir)"..\packages\SqlServerCE.4.0.0.1\x86\*.* "$(TargetDir)x86\"
     </PropertyGroup>
     <Error Condition="!Exists('..\packages\Microsoft.Net.Compilers.1.3.2\build\Microsoft.Net.Compilers.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Microsoft.Net.Compilers.1.3.2\build\Microsoft.Net.Compilers.props'))" />
     <Error Condition="!Exists('..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net45\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net45\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props'))" />
+    <Error Condition="!Exists('..\packages\MSBuild.Microsoft.VisualStudio.Web.targets.14.0.0.3\build\MSBuild.Microsoft.VisualStudio.Web.targets.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSBuild.Microsoft.VisualStudio.Web.targets.14.0.0.3\build\MSBuild.Microsoft.VisualStudio.Web.targets.props'))" />
   </Target>
 </Project>
\ No newline at end of file
diff --git a/src/Umbraco.Web.UI/packages.config b/src/Umbraco.Web.UI/packages.config
index 18cbfdb042..a8271c1370 100644
--- a/src/Umbraco.Web.UI/packages.config
+++ b/src/Umbraco.Web.UI/packages.config
@@ -32,6 +32,7 @@
   <package id="Microsoft.Owin.Security.OAuth" version="4.0.1" targetFramework="net452" />
   <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" />
   <package id="MiniProfiler" version="2.1.0" targetFramework="net45" />
+  <package id="MSBuild.Microsoft.VisualStudio.Web.targets" version="14.0.0.3" targetFramework="net452" />
   <package id="MySql.Data" version="6.9.9" targetFramework="net45" />
   <package id="Newtonsoft.Json" version="12.0.2" targetFramework="net452" />
   <package id="Owin" version="1.0" targetFramework="net45" />

From 14c4c4815d20de5d2cc69868d303ce58309bd7ba Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Wed, 17 Jul 2019 21:35:43 +1000
Subject: [PATCH 2/3] bumps version

---
 src/SolutionInfo.cs                              | 4 ++--
 src/Umbraco.Core/Configuration/UmbracoVersion.cs | 2 +-
 src/Umbraco.Web.UI/Umbraco.Web.UI.csproj         | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/SolutionInfo.cs b/src/SolutionInfo.cs
index 0d6b3bcc6b..3a85915cf5 100644
--- a/src/SolutionInfo.cs
+++ b/src/SolutionInfo.cs
@@ -11,5 +11,5 @@ using System.Resources;
 
 [assembly: AssemblyVersion("1.0.*")]
 
-[assembly: AssemblyFileVersion("7.15.0")]
-[assembly: AssemblyInformationalVersion("7.15.0")]
+[assembly: AssemblyFileVersion("7.15.1")]
+[assembly: AssemblyInformationalVersion("7.15.1")]
diff --git a/src/Umbraco.Core/Configuration/UmbracoVersion.cs b/src/Umbraco.Core/Configuration/UmbracoVersion.cs
index 6bb5dbf78e..f23078dbd0 100644
--- a/src/Umbraco.Core/Configuration/UmbracoVersion.cs
+++ b/src/Umbraco.Core/Configuration/UmbracoVersion.cs
@@ -6,7 +6,7 @@ namespace Umbraco.Core.Configuration
 {
     public class UmbracoVersion
     {
-        private static readonly Version Version = new Version("7.15.0");
+        private static readonly Version Version = new Version("7.15.1");
 
         /// <summary>
         /// Gets the current version of Umbraco.
diff --git a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
index a0624a2dd7..6884f21bcf 100644
--- a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
+++ b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
@@ -1027,9 +1027,9 @@ xcopy "$(ProjectDir)"..\packages\SqlServerCE.4.0.0.1\x86\*.* "$(TargetDir)x86\"
         <WebProjectProperties>
           <UseIIS>True</UseIIS>
           <AutoAssignPort>True</AutoAssignPort>
-          <DevelopmentServerPort>7150</DevelopmentServerPort>
+          <DevelopmentServerPort>7151</DevelopmentServerPort>
           <DevelopmentServerVPath>/</DevelopmentServerVPath>
-          <IISUrl>http://localhost:7150</IISUrl>
+          <IISUrl>http://localhost:7151</IISUrl>
           <NTLMAuthentication>False</NTLMAuthentication>
           <UseCustomServer>False</UseCustomServer>
           <CustomServerUrl>

From f3bfc1ffb27618f129d1fdb2e05872e14b3a9f15 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Thu, 18 Jul 2019 16:18:11 +1000
Subject: [PATCH 3/3] Puts back UmbracoAntiForgeryAdditionalDataProvider for
 backwards compat reasons but it is not used

---
 ...mbracoAntiForgeryAdditionalDataProvider.cs | 91 +++++++++++++++++++
 src/Umbraco.Web/Umbraco.Web.csproj            |  1 +
 2 files changed, 92 insertions(+)
 create mode 100644 src/Umbraco.Web/Security/UmbracoAntiForgeryAdditionalDataProvider.cs

diff --git a/src/Umbraco.Web/Security/UmbracoAntiForgeryAdditionalDataProvider.cs b/src/Umbraco.Web/Security/UmbracoAntiForgeryAdditionalDataProvider.cs
new file mode 100644
index 0000000000..12d7cce753
--- /dev/null
+++ b/src/Umbraco.Web/Security/UmbracoAntiForgeryAdditionalDataProvider.cs
@@ -0,0 +1,91 @@
+using System;
+using Umbraco.Web.Mvc;
+using Umbraco.Core;
+using System.Web.Helpers;
+using System.Web;
+using Newtonsoft.Json;
+using System.ComponentModel;
+
+namespace Umbraco.Web.Security
+{
+    [Obsolete("This is no longer used and will be removed from the codebase in future versions")]
+    [EditorBrowsable(EditorBrowsableState.Never)]
+    public class UmbracoAntiForgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
+    {
+        private readonly IAntiForgeryAdditionalDataProvider _defaultProvider;
+
+        /// <summary>
+        /// Constructor, allows wrapping a default provider
+        /// </summary>
+        /// <param name="defaultProvider"></param>
+        public UmbracoAntiForgeryAdditionalDataProvider(IAntiForgeryAdditionalDataProvider defaultProvider)
+        {
+            _defaultProvider = defaultProvider;
+        }
+
+        public string GetAdditionalData(HttpContextBase context)
+        {
+            return JsonConvert.SerializeObject(new AdditionalData
+            {
+                Stamp = DateTime.UtcNow.Ticks,
+                //this value will be here if this is a BeginUmbracoForms form
+                Ufprt = context.Items["ufprt"]?.ToString(),
+                //if there was a wrapped provider, add it's value to the json, else just a static value
+                WrappedValue = _defaultProvider?.GetAdditionalData(context) ?? "default"
+            });
+        }
+
+        public bool ValidateAdditionalData(HttpContextBase context, string additionalData)
+        {
+            if (!additionalData.DetectIsJson())
+                return false; //must be json
+
+            AdditionalData json;
+            try
+            {
+                json = JsonConvert.DeserializeObject<AdditionalData>(additionalData);
+            }
+            catch
+            {
+                return false; //couldn't parse
+            }
+
+            if (json.Stamp == default) return false;
+
+            //if there was a wrapped provider, validate it, else validate the static value
+            var validateWrapped = _defaultProvider?.ValidateAdditionalData(context, json.WrappedValue) ?? json.WrappedValue == "default";
+            if (!validateWrapped)
+                return false;
+
+            var ufprtRequest = context.Request["ufprt"]?.ToString();
+
+            //if the custom BeginUmbracoForms route value is not there, then it's nothing more to validate
+            if (ufprtRequest.IsNullOrWhiteSpace() && json.Ufprt.IsNullOrWhiteSpace())
+                return true;
+
+            //if one or the other is null then something is wrong
+            if (!ufprtRequest.IsNullOrWhiteSpace() && json.Ufprt.IsNullOrWhiteSpace()) return false;
+            if (ufprtRequest.IsNullOrWhiteSpace() && !json.Ufprt.IsNullOrWhiteSpace()) return false;
+
+            if (!UmbracoHelper.DecryptAndValidateEncryptedRouteString(json.Ufprt, out var additionalDataParts))
+                return false;
+
+            if (!UmbracoHelper.DecryptAndValidateEncryptedRouteString(ufprtRequest, out var requestParts))
+                return false;
+
+            //ensure they all match
+            return additionalDataParts.Count == requestParts.Count
+                && additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Controller] == requestParts[RenderRouteHandler.ReservedAdditionalKeys.Controller]
+                && additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Action] == requestParts[RenderRouteHandler.ReservedAdditionalKeys.Action]
+                && additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Area] == requestParts[RenderRouteHandler.ReservedAdditionalKeys.Area];
+        }
+
+        internal class AdditionalData
+        {
+            public string Ufprt { get; set; }
+            public long Stamp { get; set; }
+            public string WrappedValue { get; set; }
+        }
+
+    }
+}
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 2fb54a2c80..01524e5962 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -341,6 +341,7 @@
     <Compile Include="Models\Mapping\MemberTreeNodeUrlResolver.cs" />
     <Compile Include="Models\Trees\ExportMember.cs" />
     <Compile Include="PropertyEditors\DropdownFlexiblePropertyEditor.cs" />
+    <Compile Include="Security\UmbracoAntiForgeryAdditionalDataProvider.cs" />
     <Compile Include="TourFilterResolver.cs" />
     <Compile Include="Editors\UserEditorAuthorizationHelper.cs" />
     <Compile Include="Editors\UserGroupAuthorizationAttribute.cs" />