Vulnerability in EPiServer.Forms
We set up a site from the Alloy template. Initially, https://siteurl/register was working. After we introduced languages, this route stopped working. I can see this message in the log file DEBUG EPiServer.Web.Routing.Segments.Internal.LanguageSegment: There was no language segment found for url 'register' and no language host mapping found therefore routing is stopped due to strict routing setting
I searched for the issue and tried everything suggested but I am still getting 404. Mainly followed this article https://world.episerver.com/blogs/Johan-Bjornfot/Dates1/2014/9/Changes-in-simple-address-routing/
It was for a much earlier version though. We are using version 22.214.171.124. What am I missing? Thanks for the help.
I assume once you add another your new language URL works but the original URLs does not work? Once you have more than 1 language then your original URL should have a language identifier.
For example, your original Url is https://test.com/news
You have added a new language (let's say DE) - The new language url will be https://de.test.com/news or https://test.com/de/news (depends how you have setup in Manage websites/host settings)
Now your original url https://test.com/news gives you 404
The new "original" URL will be https://test.com/en/news
if you specify default culture (let's say en) then your https://test.com/news will works as well
Thanks for responding. /Register is a custom route to create users in ASPNet Identity. It doesn't have a corresponding CMS page item in Episerver CMS. So, it is not the same as /news or en/news. I tried with en/register, that throws 404 too. The default language is set to en. All our CMS pages work without any problem.
The out of the box register page created in Alloy is specifically for the creation of the first admin user. The register page itself has a check in the Business/AdministrationRegisterPage.cs class to if it's enabled such as if a user is register and if it's a local request. They might be blocking the page from loading so you'll have to adapt this logic if you need to use it
See the authorization check in the RegisterController class
protected override void OnAuthorization(AuthorizationContext filterContext)
filterContext.Result = new HttpNotFoundResult();