Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Greg Berlin 818 posts 634 karma points
    Feb 23, 2011 @ 02:28
    Greg Berlin
    0

    Umbraco & Packages on Medium Trust

    I know there's alot of discussions around this, but I was after a more definite and specific answer to these questions:

    1. Does Umbraco 4.6 work completely under medium trust?  No issues whatsoever?

    2. Do all packages that install on 4.6 work under medium trust? If not, which packages don't, or which types of packages are likely not to (ex: packages that need access to file system, etc?)

    3. Any other special considerations for running under medium trust?

    I've been using a host that's allowed me to run all my sites under full trust, but now that i require .net 4, i need to use one of their new servers, and they're locking them down to medium trust only.  Which means i need to upgrade old Umbraco v3 sites to 4.5+ to run on these new sites.. just worried about packages etc.

    cheers

    greg

  • Matthew 16 posts 36 karma points
    Oct 23, 2011 @ 02:28
    Matthew
    0

    Hi -- Does anyone have any experience with this? I started a wiki page (link here) because I agree, answers on medium trust are hard to nail down, but I don't have any real experience with medium trust and Umbraco yet. Can anyone weigh in?

    Thanks, Matthew

  • Jamie Howarth 306 posts 773 karma points c-trib
    Oct 23, 2011 @ 16:41
    Jamie Howarth
    0

    Hi Matthew and Greg,

    Umbraco 4.6 does not work in Medium Trust, as the .NET4 assembly is missing a required attribute to force .NET2-style class inheritance rules. This is fixed in Umbraco 4.7.1. Umbraco 4.6 also has numerous performance and security issues, surrounding opening connections to SQL Server databases in the Macro Container datatype, and therefore I strongly recommend an upgrade to 4.7.1 to avoid these.

    The majority of packages, if well-written, should function OK under Medium Trust. However, there are a number of known caveats, and it's up to package developers to ensure that packages do function as intended under Medium Trust. As a rule, the following basics mean that a package will not function under Medium Trust:

    • Requiring file system access outside of the root of the Umbraco website;
    • Using Reflection.Emit, or attempting to modify out-of-scope variables/properties/fields/classes that should not be accessible via normal compiled runtime;
    • Opening network sockets (caveat emptor: most shared hosting providers enable SocketPermission, as it's required for .NET to connect to MySQL, but YMMV);
    • Using ConfigurationManager to modify *.config files - this inherent bug in the .NET Framework should've been fixed in .NET4, but has not, and so a good package should use decent XML parsing logic for reading/writing *.config files;
    • Accessing the registry (no Umbraco packages I know of do this, but you never know);

    I run a number of websites under Medium Trust, with packages installed, with very little, if any, issues. The packages I commonly use are:

    • Config Editor
    • Robots.txt Editor
    • CogWorks Flexible Navigation
    • Doctype Mixins
    • Blog4Umbraco (currently work-in-progress)
    • uBlogsy

    All of these function just fine without requiring anything above Medium Trust. However, Morton Christensen's Google Analytics package requires Full trust and I'm yet to dig into why this is. I also believe that uWebshop runs under MedTrust but I've not extensively tested this.

    HTH,

    Benjamin

     

  • sampahbau 7 posts 27 karma points
    Nov 27, 2013 @ 00:02
    sampahbau
    0

    I have Umbraco 6.1.6 works on GoDaddy Shared hosting, I just enable read & write to all files even root, and this is my web.config files:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <configSections>
        <section name="urlrewritingnet" restartOnExternalChanges="true" requirePermission="false" type="UrlRewritingNet.Configuration.UrlRewriteSection, UrlRewritingNet.UrlRewriter" />
        <section name="microsoft.scripting" type="Microsoft.Scripting.Hosting.Configuration.Section, Microsoft.Scripting, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" />
        <section name="clientDependency" type="ClientDependency.Core.Config.ClientDependencySection, ClientDependency.Core" requirePermission="false" />
        <section name="Examine" type="Examine.Config.ExamineSettings, Examine" requirePermission="false" />
        <section name="ExamineLuceneIndexSets" type="Examine.LuceneEngine.Config.IndexSets, Examine" requirePermission="false" />
        <section name="FileSystemProviders" type="Umbraco.Core.Configuration.FileSystemProvidersSection, Umbraco.Core" requirePermission="false" />
        <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" requirePermission="false" />
        <section name="BaseRestExtensions" type="Umbraco.Web.BaseRest.Configuration.BaseRestSection, umbraco" requirePermission="false" />

        <sectionGroup name="system.web.webPages.razor" type="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
          <section name="host" type="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" />
          <section name="pages" type="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" />
        </sectionGroup>

      </configSections>

      <urlrewritingnet configSource="config\UrlRewriting.config" />
      <microsoft.scripting configSource="config\scripting.config" />
      <clientDependency configSource="config\ClientDependency.config" />
      <Examine configSource="config\ExamineSettings.config" />
      <ExamineLuceneIndexSets configSource="config\ExamineIndex.config" />
      <FileSystemProviders configSource="config\FileSystemProviders.config" />
      <log4net configSource="config\log4net.config" />
      <BaseRestExtensions configSource="config\BaseRestExtensions.config" />

      <appSettings>
       
        <add key="umbracoConfigurationStatus" value="6.1.6" />
        <add key="umbracoReservedUrls" value="~/config/splashes/booting.aspx,~/install/default.aspx,~/config/splashes/noNodes.aspx,~/VSEnterpriseHelper.axd" />
        <add key="umbracoReservedPaths" value="~/umbraco,~/install/" />
        <add key="umbracoContentXML" value="~/App_Data/umbraco.config" />
        <add key="umbracoStorageDirectory" value="~/App_Data" />
        <add key="umbracoPath" value="~/umbraco" />
        <add key="umbracoEnableStat" value="false" />
        <add key="umbracoHideTopLevelNodeFromPath" value="true" />
        <add key="umbracoEditXhtmlMode" value="true" />
        <add key="umbracoUseDirectoryUrls" value="false" />
        <add key="umbracoDebugMode" value="false" />
        <add key="umbracoTimeOutInMinutes" value="20" />
        <add key="umbracoVersionCheckPeriod" value="7" />
        <add key="umbracoDisableXsltExtensions" value="true" />
        <add key="umbracoDefaultUILanguage" value="en" />
        <add key="umbracoProfileUrl" value="profiler" />
        <add key="umbracoUseSSL" value="false" />
        <add key="umbracoUseMediumTrust" value="true" />

        <!-- Set this to true to enable storing the xml cache locally to the IIS server even if the app files are stored centrally on a SAN/NAS Alex Norcliffe 2010 02 for 4.1  -->
        <add key="umbracoContentXMLUseLocalTemp" value="false" />

        <add key="webpages:Enabled" value="false" />
        <add key="enableSimpleMembership" value="false" />
        <add key="autoFormsAuthentication" value="false" />

        <add key="log4net.Config" value="config\log4net.config" />
      </appSettings>

      <system.data>
        <DbProviderFactories>
          <remove invariant="System.Data.SqlServerCe.4.0" />
          <add name="Microsoft SQL Server Compact Data Provider 4.0" invariant="System.Data.SqlServerCe.4.0" description=".NET Framework Data Provider for Microsoft SQL Server Compact" type="System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe, Version=4.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" />
          <remove invariant="MySql.Data.MySqlClient" />
          <add name="MySQL Data Provider" invariant="MySql.Data.MySqlClient" description=".Net Framework Data Provider for MySQL" type="MySql.Data.MySqlClient.MySqlClientFactory, MySql.Data, Version=6.6.5.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />
        </DbProviderFactories>
      </system.data>

      <system.net>
        <mailSettings>
          <smtp>
            <network host="127.0.0.1" userName="username" password="password" />
          </smtp>
        </mailSettings>
      </system.net>

      <connectionStrings>
        <remove name="umbracoDbDSN" />
        <add name="umbracoDbDSN" connectionString="server=123456;database=123456;user id=123456;password=123456" providerName="System.Data.SqlClient" />
        <!-- Important: If you're upgrading Umbraco, do not clear the connection string / provider name during your web.config merge. -->
      </connectionStrings>

      <system.web>
        <!--<trust level="Medium" originUrl=".*" />-->
        <trust level="Full" />
        <!--<customErrors mode="RemoteOnly" />-->
        <customErrors mode="Off" />
        <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
        <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
        <globalization requestEncoding="UTF-8" responseEncoding="UTF-8" />
        <xhtmlConformance mode="Strict" />

        <httpRuntime requestValidationMode="2.0" enableVersionHeader="false" />

        <pages enableEventValidation="false">
          <!-- ASPNETAJAX -->
          <controls>
            <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add tagPrefix="umbraco" namespace="umbraco.presentation.templateControls" assembly="umbraco" />
            <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          </controls>
        </pages>
        <httpModules>
          <!-- URL REWRTIER -->
          <add name="UrlRewriteModule" type="UrlRewritingNet.Web.UrlRewriteModule, UrlRewritingNet.UrlRewriter" />
          <!-- UMBRACO -->
          <add name="UmbracoModule" type="Umbraco.Web.UmbracoModule,umbraco" />
          <!-- ASPNETAJAX -->
          <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          <!-- CLIENT DEPENDENCY -->
          <add name="ClientDependencyModule" type="ClientDependency.Core.Module.ClientDependencyModule, ClientDependency.Core" />
        </httpModules>
        <httpHandlers>
          <remove verb="*" path="*.asmx" />
          <!-- ASPNETAJAX -->
          <add verb="*" path="*.asmx" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" />
          <add verb="*" path="*_AppService.axd" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" />
          <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false" />
          <!-- UMBRACO CHANNELS -->
          <add verb="*" path="umbraco/channels.aspx" type="umbraco.presentation.channels.api, umbraco" />
          <add verb="*" path="umbraco/channels/word.aspx" type="umbraco.presentation.channels.wordApi, umbraco" />
          <!-- CLIENT DEPENDENCY -->
          <add verb="*" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " />
          <!-- SPELL CHECKER -->
          <add verb="GET,HEAD,POST" path="GoogleSpellChecker.ashx" type="umbraco.presentation.umbraco_client.tinymce3.plugins.spellchecker.GoogleSpellChecker,umbraco" />
        </httpHandlers>

        <compilation defaultLanguage="c#" debug="false" batch="false" targetFramework="4.0">
          <assemblies>
            <!-- ASP.NET 4.0 Assemblies -->
            <add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
            <add assembly="System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
            <add assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add assembly="System.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
            <add assembly="System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
            <add assembly="System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add assembly="System.Web.Mvc, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            <add assembly="System.Web.WebPages, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          </assemblies>

          <buildProviders>
            <add extension=".cshtml" type="umbraco.MacroEngines.RazorBuildProvider, umbraco.MacroEngines" />
            <add extension=".vbhtml" type="umbraco.MacroEngines.RazorBuildProvider, umbraco.MacroEngines" />
            <add extension=".razor" type="umbraco.MacroEngines.RazorBuildProvider, umbraco.MacroEngines" />
          </buildProviders>
        </compilation>

        <authentication mode="Forms">
          <forms name="yourAuthCookie" loginUrl="login.aspx" protection="All" path="/" />
        </authentication>
        <authorization>
          <allow users="?" />
        </authorization>
        <!-- Membership Provider -->
        <membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
          <providers>
            <clear />
            <add enablePasswordRetrieval="false" enablePasswordReset="true"
              requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Another Type"
              passwordFormat="Hashed" name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" />
            <add enablePasswordRetrieval="false" enablePasswordReset="false"
              requiresQuestionAndAnswer="false" passwordFormat="Hashed" name="UsersMembershipProvider"
              type="umbraco.providers.UsersMembershipProvider" />
          </providers>
        </membership>
        <!-- added by NH to support membership providers in access layer -->
        <roleManager enabled="true" defaultProvider="UmbracoRoleProvider">
          <providers>
            <clear />
            <add name="UmbracoRoleProvider" type="umbraco.providers.members.UmbracoRoleProvider" />
          </providers>
        </roleManager>
      </system.web>

      <!-- ASPNETAJAX -->
      <system.web.extensions>
        <scripting>
          <scriptResourceHandler enableCompression="true" enableCaching="true" />
        </scripting>
      </system.web.extensions>

      <system.webServer>
        <validation validateIntegratedModeConfiguration="false" />
        <modules runAllManagedModulesForAllRequests="true">
          <remove name="UrlRewriteModule" />
          <add name="UrlRewriteModule" type="UrlRewritingNet.Web.UrlRewriteModule, UrlRewritingNet.UrlRewriter" />

          <remove name="UmbracoModule" />
          <add name="UmbracoModule" type="Umbraco.Web.UmbracoModule,umbraco" />

          <remove name="ScriptModule" />
          <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

          <remove name="ClientDependencyModule" />
          <add name="ClientDependencyModule" type="ClientDependency.Core.Module.ClientDependencyModule, ClientDependency.Core" />

          <!-- Needed for login/membership to work on homepage (as per http://stackoverflow.com/questions/218057/httpcontext-current-session-is-null-when-routing-requests) -->
          <remove name="FormsAuthentication" />
          <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
        </modules>

        <handlers accessPolicy="Read, Write, Script, Execute">
          <remove name="WebServiceHandlerFactory-Integrated" />
          <remove name="ScriptHandlerFactory" />
          <remove name="ScriptHandlerFactoryAppServices" />
          <remove name="ScriptResource" />
          <remove name="Channels" />
          <remove name="Channels_Word" />
          <remove name="ClientDependency" />
          <remove name="SpellChecker" />

          <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          <add name="ScriptResource" verb="GET,HEAD" path="ScriptResource.axd" preCondition="integratedMode" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          <add verb="*" name="Channels" preCondition="integratedMode" path="umbraco/channels.aspx" type="umbraco.presentation.channels.api, umbraco" />
          <add verb="*" name="Channels_Word" preCondition="integratedMode" path="umbraco/channels/word.aspx" type="umbraco.presentation.channels.wordApi, umbraco" />
          <add verb="*" name="ClientDependency" preCondition="integratedMode" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " />
          <add verb="GET,HEAD,POST" preCondition="integratedMode" name="SpellChecker" path="GoogleSpellChecker.ashx" type="umbraco.presentation.umbraco_client.tinymce3.plugins.spellchecker.GoogleSpellChecker,umbraco" />
        </handlers>

        <!-- Adobe AIR mime type -->
        <staticContent>
          <remove fileExtension=".air" />
          <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip" />
        </staticContent>

        <!-- Ensure the powered by header is not returned -->
        <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
        </httpProtocol>
       
      </system.webServer>

      <system.codedom>
        <compilers>
          <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CSharp.CSharpCodeProvider,System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">
            <providerOption name="CompilerVersion" value="v4.0" />
            <providerOption name="WarnAsError" value="false" />
          </compiler>
        </compilers>
      </system.codedom>

      <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">

          <!-- Old asp.net ajax assembly bindings -->
          <dependentAssembly>
            <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="4.0.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="4.0.0.0" />
          </dependentAssembly>

          <!-- Ensure correct version of MVC -->
          <dependentAssembly>
            <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
          </dependentAssembly>
          <dependentAssembly>
            <assemblyIdentity name="System.Web.WebPages.Razor" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
          </dependentAssembly>
         
          <!-- Ensure correct version of HtmlAgilityPack -->
          <dependentAssembly>
            <assemblyIdentity name="HtmlAgilityPack" publicKeyToken="bd319b19eaf3b43a" culture="neutral" />
            <bindingRedirect oldVersion="1.4.5.0-1.4.6.0" newVersion="1.4.6.0" />
          </dependentAssembly>
        </assemblyBinding>
      </runtime>

      <system.web.webPages.razor>
        <host factoryType="umbraco.MacroEngines.RazorUmbracoFactory, umbraco.MacroEngines" />
        <pages pageBaseType="umbraco.MacroEngines.DynamicNodeContext">
          <namespaces>
            <add namespace="Microsoft.Web.Helpers" />
            <add namespace="umbraco" />
            <add namespace="Examine" />
          </namespaces>
        </pages>
      </system.web.webPages.razor>

    </configuration>

Please Sign in or register to post replies

Write your reply to:

Draft