Vulnerability in EPiServer.Forms
I have a request from one of our stakeholders to host a fund-raising components in our CMS instance. As part of that request, they want to enable Apple Pay but we need to be able to host a file to verify web site ownership at ".well-known/apple-developer-merchantid-domain-association". I'm guessing that the ".well-known" path is special and although I created a folder for it with the verification file, our site just returns a 404.
I may be missing something really obvious here so I was wondering if there were any suggestions on how to properly host this file in EPi CMS. Thanks.
The easiest way is to add the file as a static file to the .well-known folder (which you also need to create). The content of the file rarely change.
Is the file deployed with your web site? You may need to verify that the file is added as a Content file, not a None, file in the csproj file in Visual Studio.
If you do want to manage it from the CMS, then you can add a custom MVC route to a controller and deliver the text content.
I just dug up a small but significant piece of configuration from the archives.
Put the following in a new web.config file in the .well-known folder. Basically it turns off MVC's extensionless file handling.
<mimeMap fileExtension="." mimeType="text/plain" />
<add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
Let me know how it works out for you.
Thank you Stefan. I ended up using a page type, controller, and simple address to handle this and so far it's working as hoped.