Vulnerability in EPiServer.Forms
I am working on a website that is running in DXC. When we get the application log from paasportal.episerver.net we have noticed that all the errors are shown as:
"EPiServer.Global : Unhandled exception in ASP.NET System.InvalidOperationException: The model item passed into the dictionary is of type 'System.Web.Mvc.HandleErrorInfo', but this dictionary requires a model item of type 'SearchResultsPageViewModel'."
this is even when i manually add a line to a view file that throws an error with a specific message, where i should be seeing something like:
"EPiServer.Global : Unhandled exception in ASP.NET System.Exception: test at ASP._Page_Views_Pages_HomePage_cshtml.Execute()at System.Web.WebPages.WebPageBase.ExecutePageHierarchy() at System.Web.Mvc.WebViewPage.ExecutePageHierarchy() at System.Web.WebPages.StartPage.ExecutePageHierarchy()etc.
I'm trying to work out if i need to configure the site differently to work on DXC and to get the correct error messages. One thing we have noticed is that when we turn CustomErrors off in the web config we get the correct error details in the application log, even though it is using the same html file to display the error message. Obviously we want to keep custom errors turned on in production so this isn't really a fix.
I'm really confused, has anyone set up a DXC site where logging is working correctly? what did you have to do differently to a regular episerver website?
Thanks in advance
As long as your following
https://world.episerver.com/documentation/developer-guides/CMS/logging/logging-into--net-diagnostics-trace/ that's the standard way of logging in the DXC.
As long as then in code your using the EPiServer.Logging.ILogger interface injected in to your code for the logging you should get all the correct logs come through. We are using it in the DXC and it's working as expected
@scott did you have to specify a blob storage location for the logs? or does episerver deal with it automatically? Also, when you view the logs do you get errors relating to System.Web.Mvc.HandleErrorInfo ? i think this error is hiding the real error message but i can't work out why.
I think I had to request it with episerver support to turn on logging in the enviornments although you should have been given the integration access to configure Integration yourself
I assume that the logging settings are correct as the log contains the correct errors when we have custom errors turned off in the web config, the mainthing we are trying to work out is why all the errors are logged as 'System.InvalidOperationException' when we have custom errors turned on. Can't recreate it locally.
We have finally managed to fix the issue. The fix was to permenantly set the custom errors off in the web.config ('<customErrors mode="Off">'). This is normally set to off or custom on all other sites we develop so we didn't think this would be a long-term solution but EPiServer support eventually told us this is what needs to be done to fix it.
Even if you have followed all of the instructions and read all of the documentation you will still have to set custom errors to off. Hopefully this information will be useful to others in the future.