Vulnerability in EPiServer.Forms
one more surprising and silly issue i found while working with Episerver CMS 7 role management. Actually i am working on my custom Episerver MVC site. But the same issue i found in sample enoteca site also. Issue is :
Open enoteca site
login as admin
go to CMS>Admin>Administer groups
Create a Group "Sample Group"
try to delete it. you will get
Exception Details: System.Configuration.Provider.ProviderException: The role 'sample+group' was not found.
[ProviderException: The role 'sample+group' was not found.]
System.Web.Security.SqlRoleProvider.GetUsersInRole(String roleName) +1440
EPiServer.UI.Admin.DeleteMembershipDialog.DeleteUser_Click(Object sender, EventArgs e) +551
It says there is no role with the given name to delete it.
Now create a group name "SampleGroup" - i.e. with out space
this time you can successfully delete it.
I cornered the problem
When there is a space in the role name the url replacing space with "%2b" but it should be "%20"
actual url : http://localhost:17001/episerver/CMS/admin/DeleteMembershipDialog.aspx?NameRoleOrUser=sample%2bgroup&SecurityEntity=1&ProviderName=CMSRoleProvider
but it should be : http://localhost:17001/episerver/CMS/admin/DeleteMembershipDialog.aspx?NameRoleOrUser=sample%20group&SecurityEntity=1&ProviderName=CMSRoleProvide
when i replaced the space the %2b with %20 then i could be able to delete it successfully ,!!!!
I think its a bug. Please tell me if any one of you faced the same issue and found any workaround to deal with it. It wil be helpful for me.
Thanks in advance
It's a bug - see http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=75160
thank you for quick reply , but #91051 is different it is about "cannot delete user with @ in the user name" . but the i did not find any closed bug related to "cannot delete group containg space in it" issue. Please tell me if it is already fixed.
I have posted it as a bug report to episerver feedback on the above issue.
Thanks in advance
Hi, 91051 is the same issue as this one, it was reported with @ but refers to special characters and has a few related bugs that are closed due to Duplicate. One of them is named "Can't delete user/group that has whitespace in username/groupname".
Thanks for the reply . Any idea about in which patch it is fixed , because in the bug detail there is no patch number for "fixed in". http://world.episerver.com/Support/Bug-list-beta/bug/91051/
Bug fix will be released in next major version of EPiServer i.e. 7.5 since the fix affect the markup files.
However there is workaround for now. Copy the URL from Delete User/group dialog box and open it in a new tab/window, replace %2B betwen the group name with a blank space and press enter. You should be able to delete the group/user.example : Group name is "my group":