Running the latest version of Umbraco 7.7.8 and Forms 6.0.6 I'm getting strange results when using the so-called magic strings to populate fields with default values. The form values (or magic strings?) are being cached between requests and browsers and result in a major data leak!
This happens to url values (@...), page values (#...) but also member values!
For anyone running into this, setting the value of DisableFormCaching to True in UmbracoForms.config resolves the issue (but I don't know what the side effects are).
<setting key="DisableFormCaching" value="True" />
Steps to reproduce:
1) Create a Visual Studio solution and install the latest Umbraco and Forms packages.
2) Go to the Forms section and Create a simple form, containing a Name, Email and Page field and set the default values to {member.Name}, {member.Email} and [#pageName] respectively.
3) Go to the Settings section, modify the Content Page and add a Form picker
4) In the Settings section, alter the Content Page template and include the following snippet in the col-md-9 div:
@{
if (Model.Content.Form != null)
{ Html.RenderAction("RenderForm", "UmbracoForms", new { formId = Model.Content.Form, theme = "bootstrap3" }); }
}
To make the Forms work, also include a Header section with the following scripts:
5) Finally, in the Content section add three pages (Page One, Page Two, Page Three) and on all pages select the form created in step 2.
Result:
When you open one of the selected pages, note that the initial page shows the correct Page value in the form field, but any of the other created pages will show the value of the first viewed page.
A step further, add some members and login:
1) In the Member section add two members (John First, Mike Second)
2) In the Settings section, add two Login templates and copy the contents from ContentPage. Replace inner HTML of the container div with the following snippets
3) In the Settings section, go to Document Types and add the Login templates as allowed template for Content Page.
4) In the Content section and add a Content Page and set the template to Login1 to login John First. Add a second Content Page and set the template to Login2 to login Mike Second.
Result: When you open Login1 in a first browser and Login2 in a second, different browser notice that the values in the forms contain the same values, depending on which form/member is viewed first.
I think this is related to the following caching keys in HttpContext.Current.Cache:
"umbrtmche-Forms.FormStorage.All"
"umbrtmche-Forms.Member1148"
"umbrtmche-Forms.Member1148.Values"
Note that only the first member is loaded in the cache (Member1148 which is John First). The second members never shows up (appears).
I noticed the same issue myself today. I was using query string params to pre-populate fields, and even on different computers the last-used value was appearing - not the value in the current browser url.
Thanks for the UmbracoForms.config tip - that fixed it for me as well.
Thanks for responding, and voting. I found it astounding that this caching was forming a major data leak. And I think this DisableFormCaching option should be switched on by default. So for anyone running into this:
Please make sure that if you find issues like this to shoot us an email at [email protected] so we can fix it ASAP. It's on our list to fix early next week, keep an eye on the issue tracker for progress:
Thanks for replying, Sebastiaan. I wasn't aware of this e-mail option so thanks for bringing that to my attention!
I already created an issue for this on the tracker, perhaps you can merge them: http://issues.umbraco.org/issue/CON-1458
Magic strings data leak
Running the latest version of Umbraco 7.7.8 and Forms 6.0.6 I'm getting strange results when using the so-called magic strings to populate fields with default values. The form values (or magic strings?) are being cached between requests and browsers and result in a major data leak!
This happens to url values (@...), page values (#...) but also member values!
For anyone running into this, setting the value of DisableFormCaching to True in UmbracoForms.config resolves the issue (but I don't know what the side effects are).
Steps to reproduce: 1) Create a Visual Studio solution and install the latest Umbraco and Forms packages. 2) Go to the Forms section and Create a simple form, containing a Name, Email and Page field and set the default values to {member.Name}, {member.Email} and [#pageName] respectively. 3) Go to the Settings section, modify the Content Page and add a Form picker 4) In the Settings section, alter the Content Page template and include the following snippet in the col-md-9 div:
To make the Forms work, also include a Header section with the following scripts:
5) Finally, in the Content section add three pages (Page One, Page Two, Page Three) and on all pages select the form created in step 2.
Result: When you open one of the selected pages, note that the initial page shows the correct Page value in the form field, but any of the other created pages will show the value of the first viewed page.
A step further, add some members and login: 1) In the Member section add two members (John First, Mike Second) 2) In the Settings section, add two Login templates and copy the contents from ContentPage. Replace inner HTML of the container div with the following snippets
And for the second template
3) In the Settings section, go to Document Types and add the Login templates as allowed template for Content Page. 4) In the Content section and add a Content Page and set the template to Login1 to login John First. Add a second Content Page and set the template to Login2 to login Mike Second.
Result: When you open Login1 in a first browser and Login2 in a second, different browser notice that the values in the forms contain the same values, depending on which form/member is viewed first.
I think this is related to the following caching keys in HttpContext.Current.Cache:
Note that only the first member is loaded in the cache (Member1148 which is John First). The second members never shows up (appears).
To me this seams to be a major security leak and I think is related to this bug report: http://issues.umbraco.org/issue/CON-1458
I noticed the same issue myself today. I was using query string params to pre-populate fields, and even on different computers the last-used value was appearing - not the value in the current browser url.
Thanks for the UmbracoForms.config tip - that fixed it for me as well.
Thanks for responding, and voting. I found it astounding that this caching was forming a major data leak. And I think this DisableFormCaching option should be switched on by default. So for anyone running into this:
Thanks for noticing this!
Please make sure that if you find issues like this to shoot us an email at [email protected] so we can fix it ASAP. It's on our list to fix early next week, keep an eye on the issue tracker for progress:
http://issues.umbraco.org/issue/CON-1494
Thanks for replying, Sebastiaan. I wasn't aware of this e-mail option so thanks for bringing that to my attention! I already created an issue for this on the tracker, perhaps you can merge them: http://issues.umbraco.org/issue/CON-1458
Ah no worries, the security address comes with a detailed description on the website as well - https://umbraco.com/security
Cool I'll merge the issues, thanks!
is working on a reply...