Vulnerability in EPiServer.Forms
In CMS 12.22.8 and onwards (at the time of writing this post 12.22.8 and 12.23.0) the client resources (e.g., custom styles for UI) from root module (i.e., defined in module.config in root of the project) are no longer loaded by CMS UI.The resource is requested by CMS UI, but 404 is returned.Steps to reproduce:
1) Create empty alloy project with dotnet new epi-alloy-mvc --name AlloyTestThe default version of CMS in template is 12.18.0 at the time of writing2) Create root module.config with following content
<?xml version="1.0" encoding="utf-8"?>
<add assembly="AlloyTest" />
<add name="epi-cms.widgets.base" path="Styles/Styles.css" resourceType="Style"/>
3) Create ClientResources/Styles/Styles.css with example content
4) Run the solution - the custom style is loaded from https://localhost:5000/ClientResources/Styles/Styles.css in CMS UI5) [Optional] Upgrade CMS to 12.22.7 - the custom style will still be loaded6) Upgrade CMS to 12.22.8 or 12.23.07) Run the solution - the custom style will no longer be loaded, although CMS UI will try to load it, but the URL will return 404I suppose this is an unintended side effect of mitigation of vulnerability found in 12.X - https://world.optimizely.com/blogs/Magnus-Rahl/Dates/2023/9/vulnerability-in-cms-12-shell-module-configuration/ However linked blog post didn't mention any required changes in module.config to still run custom styles, and any changes clientResourceRelativePath didn't make any difference.If someone knows solution or how to workaround this, I would be grateful for hints :)
I have forwarded the question to respective team. Thank you for your patience and understanding
@Karol since this is a vulnerability we will respond to you separately. For anyone reading this thread. This is the expected behaviour.
The only fix / hack that I got working for this issue was to copy the ClientResources folder into the wwwroot folder. But it shouldn't be like that right?
I believe it's the correct/recommended way
2 comments:1: If ithe correct way is to copy the ClientResources folder into the wwwroot folder, then that copied folder has to be double updated every time changes are done in the source folder? it seems sick.2: I tried updating to 12.24 today with the simple alloy example from above and that didn't help anything. So the current ClientResources concept with copying into the wwwroot folder copy is as it should be?
Well, it is explained here from yesterdays update:https://world.optimizely.com/forum/developer-forum/cms-12/thread-container/2023/10/404-on-clientresources-files-all-of-a-sudden-after-upgrade-to-12-23/
Hi Soren S,In my opinion the linked solution provided by support is quite bad, because the files were previously protected by "episerver:defaultshellmodule" authorization policy, and with moving them to wwwroot they are publicly available. Of course if you don't have anything you'd like to protect, then it probably doesn't matter.I have implemented a solution that has at least some level of protection, but I’m not sure if I’m allowed to share it here, since this topic is shrouded in 'security by obscurity'.