From 3f4fa8b8ed9dad0a105a0fe3d051a45d3cfa83b8 Mon Sep 17 00:00:00 2001 From: Shannon Date: Thu, 21 Aug 2014 14:39:06 -0600 Subject: [PATCH 1/8] Fixes: U4-5380 Booting.aspx security issue --- src/umbraco.cms/helpers/url.cs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/umbraco.cms/helpers/url.cs b/src/umbraco.cms/helpers/url.cs index 0e344412f7..6518715be3 100644 --- a/src/umbraco.cms/helpers/url.cs +++ b/src/umbraco.cms/helpers/url.cs @@ -50,7 +50,13 @@ namespace umbraco.cms.helpers if (Uri.TryCreate(callerUrl, UriKind.RelativeOrAbsolute, out localUri)) { // check for local urls - if (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host) + + //Cannot start with // since that is not a local url + if (!requestUri.OriginalString.StartsWith("//") + //cannot be non-absolute and also contain the char : since that will indicate a protocol + && (!requestUri.IsAbsoluteUri && !requestUri.OriginalString.Contains(":")) + //needs to be non-absolute or the hosts must match the current request + && (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host)) { return true; } @@ -61,6 +67,13 @@ namespace umbraco.cms.helpers throw new ArgumentException("CallerUrl is in a wrong format that couldn't be parsed as a valid URI. If you don't want to evaluate for local urls, but just proxy urls then leave callerUrl empty", "callerUrl"); } } + + //we cannot continue if the url is not absolute + if (!requestUri.IsAbsoluteUri) + { + return false; + } + // check for valid proxy urls var feedProxyXml = XmlHelper.OpenAsXmlDocument(IOHelper.MapPath(SystemFiles.FeedProxyConfig)); if (feedProxyXml != null && From 2daacd8d57e0d90172d95697f028d95691d16d9c Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Fri, 22 Aug 2014 11:15:46 +0200 Subject: [PATCH 2/8] #U4-5379 Fixed Due in version: 7.1.6 Some users have not set an email, don't strip out empty entries --- src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs b/src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs index 5f79d5ccd7..cbd2e0e519 100644 --- a/src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs +++ b/src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs @@ -43,12 +43,8 @@ namespace Umbraco.Web.Mvc /// public static string GetAuthHeaderTokenVal(ApplicationContext appContext) { - int numberOfUsers; - var users = appContext.Services.UserService.GetAll(0, 25, out numberOfUsers); - var admin = users.FirstOrDefault(u => u.UserType.Alias == "admin" && u.RawPasswordValue != string.Empty && u.RawPasswordValue.InvariantEquals("default") == false); + var admin = appContext.Services.UserService.GetUserById(0); - if (admin == null) - return string.Empty; var token = string.Format("{0}u____u{1}u____u{2}", admin.Email, admin.Username, admin.RawPasswordValue); @@ -95,8 +91,8 @@ namespace Umbraco.Web.Mvc //decrypt the string var text = encrypted.DecryptWithMachineKey(); - //split - var split = text.Split(new[] { "u____u" }, StringSplitOptions.RemoveEmptyEntries); + //split - some users have not set an email, don't strip out empty entries + var split = text.Split(new[] {"u____u"}, StringSplitOptions.None); if (split.Length != 3) return false; //compare From 1ded2c9baffb30996d35a2486321735b661cab9a Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Mon, 25 Aug 2014 14:32:14 +0200 Subject: [PATCH 3/8] #U4-5385 fixed Due in version: 7.1.6 --- src/Umbraco.Core/Media/ImageHelper.cs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/Umbraco.Core/Media/ImageHelper.cs b/src/Umbraco.Core/Media/ImageHelper.cs index 9cb44afb18..f2b848be57 100644 --- a/src/Umbraco.Core/Media/ImageHelper.cs +++ b/src/Umbraco.Core/Media/ImageHelper.cs @@ -165,6 +165,16 @@ namespace Umbraco.Core.Media ep.Param[0] = new EncoderParameter(Encoder.Quality, 90L); // Save the new image using the dimensions of the image + var predictableThumbnailName = thumbnailFileName.Replace("UMBRACOSYSTHUMBNAIL", maxWidthHeight.ToString(CultureInfo.InvariantCulture)); + using (var ms = new MemoryStream()) + { + bp.Save(ms, codec, ep); + ms.Seek(0, 0); + + fs.AddFile(predictableThumbnailName, ms); + } + + // TODO: Remove this, this is ONLY here for backwards compatibility but it is essentially completely unusable see U4-5385 var newFileName = thumbnailFileName.Replace("UMBRACOSYSTHUMBNAIL", string.Format("{0}x{1}", widthTh, heightTh)); using (var ms = new MemoryStream()) { From 5d37eaf993394cb0d2124594655752c3c6eb5197 Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Mon, 25 Aug 2014 14:32:35 +0200 Subject: [PATCH 4/8] #U4-4673 Fixed Due in version: 7.1.6 --- .../PropertyEditors/FileUploadPropertyEditor.cs | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/Umbraco.Web/PropertyEditors/FileUploadPropertyEditor.cs b/src/Umbraco.Web/PropertyEditors/FileUploadPropertyEditor.cs index 28da565b9e..2c67920d58 100644 --- a/src/Umbraco.Web/PropertyEditors/FileUploadPropertyEditor.cs +++ b/src/Umbraco.Web/PropertyEditors/FileUploadPropertyEditor.cs @@ -2,6 +2,7 @@ using System; using System.Collections.Generic; using System.ComponentModel.DataAnnotations; using System.Drawing; +using System.Globalization; using System.Linq; using System.Text.RegularExpressions; using System.Xml; @@ -149,24 +150,28 @@ namespace Umbraco.Web.PropertyEditors /// public override IDictionary ConvertDbToEditor(IDictionary defaultPreVals, PreValueCollection persistedPreVals) { - var result = new Dictionary(); + var result = new List(); //the pre-values just take up one field with a semi-colon delimiter so we'll just parse var dictionary = persistedPreVals.FormatAsDictionary(); if (dictionary.Any()) { //there should only be one val - var delimited = dictionary.First().Value.Value.Split(new[] {';'}, StringSplitOptions.RemoveEmptyEntries); + var delimited = dictionary.First().Value.Value.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries); for (var index = 0; index < delimited.Length; index++) { - result.Add(index.ToInvariantString(), delimited[index]); + result.Add(new PreValue(index, delimited[index])); } } //the items list will be a dictionary of it's id -> value we need to use the id for persistence for backwards compatibility - return new Dictionary { { "items", result } }; + return new Dictionary { { "items", result.ToDictionary(x => x.Id, x => PreValueAsDictionary(x)) } }; } + private IDictionary PreValueAsDictionary(PreValue preValue) + { + return new Dictionary { { "value", preValue.Value }, { "sortOrder", preValue.SortOrder } }; + } /// /// Take the posted values and convert them to a semi-colon separated list so that its backwards compatible /// From c94662e49cc75daac8479d0099223e5f3563801f Mon Sep 17 00:00:00 2001 From: Shannon Date: Mon, 25 Aug 2014 16:13:21 +1000 Subject: [PATCH 5/8] Fixes: U4-5388 YSOD after doctype rename & U4-5387 Deleting Properties in document types causes "Object reference not set to an instance of an object" --- .../umbraco.presentation/content.cs | 38 ++++++++++--------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/src/Umbraco.Web/umbraco.presentation/content.cs b/src/Umbraco.Web/umbraco.presentation/content.cs index 29adcc4936..b99ebf4384 100644 --- a/src/Umbraco.Web/umbraco.presentation/content.cs +++ b/src/Umbraco.Web/umbraco.presentation/content.cs @@ -21,6 +21,7 @@ using umbraco.cms.businesslogic.cache; using umbraco.cms.businesslogic.web; using umbraco.DataLayer; using umbraco.presentation.nodeFactory; +using Umbraco.Web; using Action = umbraco.BusinessLogic.Actions.Action; using Node = umbraco.NodeFactory.Node; using Umbraco.Core; @@ -97,13 +98,13 @@ namespace umbraco { get { - if (HttpContext.Current == null) + if (UmbracoContext.Current == null || UmbracoContext.Current.HttpContext == null) return XmlContentInternal; - var content = HttpContext.Current.Items[XmlContextContentItemKey] as XmlDocument; + var content = UmbracoContext.Current.HttpContext.Items[XmlContextContentItemKey] as XmlDocument; if (content == null) { content = XmlContentInternal; - HttpContext.Current.Items[XmlContextContentItemKey] = content; + UmbracoContext.Current.HttpContext.Items[XmlContextContentItemKey] = content; } return content; } @@ -828,24 +829,27 @@ namespace umbraco /// internal void RemoveXmlFilePersistenceQueue() { - HttpContext.Current.Application.Lock(); - HttpContext.Current.Application[PersistenceFlagContextKey] = null; - HttpContext.Current.Application.UnLock(); + if (UmbracoContext.Current != null && UmbracoContext.Current.HttpContext != null) + { + UmbracoContext.Current.HttpContext.Application.Lock(); + UmbracoContext.Current.HttpContext.Application[PersistenceFlagContextKey] = null; + UmbracoContext.Current.HttpContext.Application.UnLock(); + } } internal bool IsXmlQueuedForPersistenceToFile { get { - if (HttpContext.Current != null) + if (UmbracoContext.Current != null && UmbracoContext.Current.HttpContext != null) { - bool val = HttpContext.Current.Application[PersistenceFlagContextKey] != null; + bool val = UmbracoContext.Current.HttpContext.Application[PersistenceFlagContextKey] != null; if (val) { DateTime persistenceTime = DateTime.MinValue; try { - persistenceTime = (DateTime)HttpContext.Current.Application[PersistenceFlagContextKey]; + persistenceTime = (DateTime)UmbracoContext.Current.HttpContext.Application[PersistenceFlagContextKey]; if (persistenceTime > GetCacheFileUpdateTime()) { return true; @@ -894,8 +898,8 @@ namespace umbraco private void ClearContextCache() { // If running in a context very important to reset context cache orelse new nodes are missing - if (HttpContext.Current != null && HttpContext.Current.Items.Contains(XmlContextContentItemKey)) - HttpContext.Current.Items.Remove(XmlContextContentItemKey); + if (UmbracoContext.Current != null && UmbracoContext.Current.HttpContext != null && UmbracoContext.Current.HttpContext.Items.Contains(XmlContextContentItemKey)) + UmbracoContext.Current.HttpContext.Items.Remove(XmlContextContentItemKey); } /// @@ -1193,20 +1197,20 @@ order by umbracoNode.level, umbracoNode.sortOrder"; { //if this is called outside a web request we cannot queue it it will run in the current thread. - if (HttpContext.Current != null) + if (UmbracoContext.Current != null && UmbracoContext.Current.HttpContext != null) { - HttpContext.Current.Application.Lock(); + UmbracoContext.Current.HttpContext.Application.Lock(); try { - if (HttpContext.Current.Application[PersistenceFlagContextKey] != null) + if (UmbracoContext.Current.HttpContext.Application[PersistenceFlagContextKey] != null) { - HttpContext.Current.Application.Add(PersistenceFlagContextKey, null); + UmbracoContext.Current.HttpContext.Application.Add(PersistenceFlagContextKey, null); } - HttpContext.Current.Application[PersistenceFlagContextKey] = DateTime.UtcNow; + UmbracoContext.Current.HttpContext.Application[PersistenceFlagContextKey] = DateTime.UtcNow; } finally { - HttpContext.Current.Application.UnLock(); + UmbracoContext.Current.HttpContext.Application.UnLock(); } } else From ebf24d69b5c05bd1f5682f9ef53f1a8d20bb4afa Mon Sep 17 00:00:00 2001 From: Shannon Date: Mon, 25 Aug 2014 16:24:23 +1000 Subject: [PATCH 6/8] Fixes: U4-5384 Custom ApiController routes not working after upgrade to 7.1.5 --- src/Umbraco.Web/WebApi/NamespaceHttpControllerSelector.cs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Umbraco.Web/WebApi/NamespaceHttpControllerSelector.cs b/src/Umbraco.Web/WebApi/NamespaceHttpControllerSelector.cs index f8bf137c98..dd75decc11 100644 --- a/src/Umbraco.Web/WebApi/NamespaceHttpControllerSelector.cs +++ b/src/Umbraco.Web/WebApi/NamespaceHttpControllerSelector.cs @@ -25,7 +25,10 @@ namespace Umbraco.Web.WebApi public override HttpControllerDescriptor SelectController(HttpRequestMessage request) { var routeData = request.GetRouteData(); - if (routeData == null || routeData.Route == null || routeData.Route.DataTokens["Namespaces"] == null) + if (routeData == null + || routeData.Route == null + || routeData.Route.DataTokens == null + || routeData.Route.DataTokens["Namespaces"] == null) return base.SelectController(request); // Look up controller in route data From 101e116baf5f5bfbfc05bb3ec3f64010056d3f3f Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Mon, 25 Aug 2014 15:14:21 +0200 Subject: [PATCH 7/8] Bump version number --- build/UmbracoVersion.txt | 2 +- src/Umbraco.Core/Configuration/UmbracoVersion.cs | 2 +- src/Umbraco.Web.UI/Umbraco.Web.UI.csproj | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/UmbracoVersion.txt b/build/UmbracoVersion.txt index a52e7a4eb7..c32f54ca04 100644 --- a/build/UmbracoVersion.txt +++ b/build/UmbracoVersion.txt @@ -1 +1 @@ -7.1.5 \ No newline at end of file +7.1.6 \ No newline at end of file diff --git a/src/Umbraco.Core/Configuration/UmbracoVersion.cs b/src/Umbraco.Core/Configuration/UmbracoVersion.cs index b0e074e444..847be99a0d 100644 --- a/src/Umbraco.Core/Configuration/UmbracoVersion.cs +++ b/src/Umbraco.Core/Configuration/UmbracoVersion.cs @@ -5,7 +5,7 @@ namespace Umbraco.Core.Configuration { public class UmbracoVersion { - private static readonly Version Version = new Version("7.1.5"); + private static readonly Version Version = new Version("7.1.6"); /// /// Gets the current version of Umbraco. diff --git a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj index eb7f5fe251..c82a4a0a2d 100644 --- a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj +++ b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj @@ -2530,9 +2530,9 @@ xcopy "$(ProjectDir)"..\packages\SqlServerCE.4.0.0.0\x86\*.* "$(TargetDir)x86\" True True - 7150 + 7160 / - http://localhost:7150 + http://localhost:7160 False False From e9b137cde80d32dbe29cf87575569edae287be71 Mon Sep 17 00:00:00 2001 From: Shannon Date: Tue, 26 Aug 2014 09:20:32 +1000 Subject: [PATCH 8/8] Fixes duplicate key error (U4-5385) --- src/Umbraco.Core/Media/ImageHelper.cs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Core/Media/ImageHelper.cs b/src/Umbraco.Core/Media/ImageHelper.cs index f2b848be57..a6cd19ddc0 100644 --- a/src/Umbraco.Core/Media/ImageHelper.cs +++ b/src/Umbraco.Core/Media/ImageHelper.cs @@ -45,8 +45,11 @@ namespace Umbraco.Core.Media var result = new List(); var allSizesDictionary = new Dictionary {{100,"thumb"}, {500,"big-thumb"}}; - var allSizes = allSizesDictionary.Select(kv => kv.Key).ToList(); - allSizes.AddRange(additionalThumbSizes.Where(x => x > 0).Distinct()); + + //combine the static dictionary with the additional sizes with only unique values + var allSizes = allSizesDictionary.Select(kv => kv.Key) + .Union(additionalThumbSizes.Where(x => x > 0).Distinct()); + var sizesDictionary = allSizes.ToDictionary(s => s, s => allSizesDictionary.ContainsKey(s) ? allSizesDictionary[s]: ""); foreach (var s in sizesDictionary)