Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Garrett Fisher 341 posts 496 karma points
    Nov 19, 2015 @ 20:26
    Garrett Fisher
    0

    AltTemplates -- Potentially Dangerous Request -- HtmlEncode?

    Hi,

    Does anyone know where the alttemplate querytring value is first processed at the request level?

    I've got an Umbraco (6.2.5) site which is failing a security scan because you can add...

    "?alttemplate=<!--"
    

    For example, as the value. I'd like to HtmlEncode it but I don't know where/how in the application flow that this is handled. The ASP.NET YSOD fires long before any page/template where I am personally doing anything with that value:

    A potentially dangerous Request.QueryString value was detected from the client (alttemplate="<!--").
    

    Anything I can do to prevent this error?

    Thanks,

    Garrett

  • Marc Goodson 1676 posts 11071 karma points MVP 6x c-trib
    Nov 19, 2015 @ 20:52
    Marc Goodson
    0

    If you don't use the altTemplate functionality you can now turn it off in the umbracoSettings.config file at the bottom:

          <web.routing
            trySkipIisCustomErrors="false"
            internalRedirectPreservesTemplate="false" disableAlternativeTemplates="true" 
    disableFindContentByIdPath="false"
            umbracoApplicationUrl="">
          </web.routing>
    

    if you want to keep the altTemplate functionality, but handle the comment attack; I think you'll need to register your own replacement version of the IContentFinder ContentFinderByNiceUrlAndTemplate

    https://github.com/umbraco/Umbraco-CMS/blob/d50e49ad37fd5ca7bad2fd6e8fc994f3408ae70c/src/Umbraco.Web/Routing/ContentFinderByNiceUrlAndTemplate.cs

Please Sign in or register to post replies

Write your reply to:

Draft