Hi, I'm not sure if this is an intended function but I've just noticed that CSHTML view files are executing when the name of the file is used after the domain name in the URL.
To be a bit clearer, take the example where I enter the following URL:
If there is no Umbraco node configured to respond on "/blog" it seems the site will execute the file "blog.cshtml" if it finds that file in the root of the Views directory. I'm keen to establish if this is intentional (and if so why?) or if this is a bug and/or potential security hole?
I can reproduce this on live sites running 7.3.8 and 7.6.1 and also tested on a 7.6.0 clean Fanoe install.
This is intentional behaviour, it is one of the methods of using the Alternative Template functionality within Umbraco.
If you don't want to have this functionality available, I believe it can be turned off in the umbracoSettings.config file.
Right at the bottom there is a section for web.routing where you can find an attribute called "disableAlternativeTemplates" set this to true and I believe it should stop this behaviour.
Thanks for that. It seems you are right. I was aware of the alternative template syntax using the altTemplate querystring parameter, and am in fact already using that. So I can't disable alternative templates completely.
Is there a way to just disable the MVC "Route" alt template technique?
CSHTML Razor Views executing when filename included in URL
Hi, I'm not sure if this is an intended function but I've just noticed that CSHTML view files are executing when the name of the file is used after the domain name in the URL.
To be a bit clearer, take the example where I enter the following URL:
http://www.domain.com/blog
If there is no Umbraco node configured to respond on "/blog" it seems the site will execute the file "blog.cshtml" if it finds that file in the root of the Views directory. I'm keen to establish if this is intentional (and if so why?) or if this is a bug and/or potential security hole?
I can reproduce this on live sites running 7.3.8 and 7.6.1 and also tested on a 7.6.0 clean Fanoe install.
Thanks.
Hi James,
This is intentional behaviour, it is one of the methods of using the Alternative Template functionality within Umbraco.
If you don't want to have this functionality available, I believe it can be turned off in the umbracoSettings.config file.
Right at the bottom there is a section for web.routing where you can find an attribute called "disableAlternativeTemplates" set this to true and I believe it should stop this behaviour.
Thanks,
Nik
Hi Nik,
Thanks for that. It seems you are right. I was aware of the alternative template syntax using the altTemplate querystring parameter, and am in fact already using that. So I can't disable alternative templates completely.
Is there a way to just disable the MVC "Route" alt template technique?
Thanks again, James
Hi James
I wrote an article to explain it and show you how to turn it on or off.
http://www.codeshare.co.uk/blog/umbraco-alternate-template-feature-bug/
Kind regards
Paul
Hi Paul,
That's perfect, thanks very much.
James
is working on a reply...