Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Unpublished assets returning 401 status


We've an with assets that are either not published or have been moved to trash returning 401s rather than 403s or 404s if an end user tries to access them.  This is a problem especially where assets have been moved to trash when they are referenced from html editor field, because when the asset is deleted is doesn't moan about being referenced.  

So the result of this that our customer users are frequently presented with a login prompt which they're saying is a bug but I'm pretty sure EPiServer support would not agree!

Is there a workaround for this? I've tried using an http module to capture the HttpApplication EndRequest (which is the earliest that the status is available) but this throws an exception on embedded content because headers are already sent.

Sep 09, 2015 17:05

Hmm, maybe I need to raise a feature request to allow me to edit and fix all those typos!

Sep 09, 2015 17:09

Hi Neil,

I tested this on Alloy site, with latest episerver version and it returned me 404 for the images in trash (i remeber this was an issue in older version), can you please confirm which version are you on. an upgrade canfix that.

401 you will still get if User is not authorized. Check are those assets have visible right for everyone.



Sep 10, 2015 16:06

Thanks for the info. K.  We are on 7.19.2 but unfortunately we can't upgrade so I guess we'll have to live with this issue for now.  

(we use on premise Find in a secure closed environment which is not upgradable yet and EPiServer 8.* has a dependency on later versions of Find).

I'll test this in an alloy site too though.

Sep 10, 2015 16:43
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.