Vulnerability in EPiServer.Forms
I have a project built on EPiServer 7.0 which references Newtonsoft JSON.NET v5.0.1. At the same time, there is another Newtonsoft JSON.NET v4.0.2 in modulesbin folder which, as far as I understood, is required by Google.Apis library also located in modulesbin folder.
I developed my application using the features available in JSON.NET v5.0.1 but when I deploy my application, create/edit a page and click on Publish, I get an error saying "Method not found: 'Void Newtonsoft.Json.JsonSerializerSettings.set_DateFormatString(System.String)'". I assumed that this happening because of this code in my application:
public static readonly JsonSerializerSettings SerializerSettings = new JsonSerializerSettings();
SerializerSettings.DateFormatString = "yyyy-MM-ddTH:mm:ss";
My guess is that DateFormatString is not available in v4.0.2 of this library. Unfortunately I was not able to find the documentation for that version to confirm that. But I wonder why IIS is serving the DLL located in modulesbin but not in bin folder?! I even tried to add bindingRedirect in web.config which unfortunately didn't help.
The dlls in modulesbin folder are also used by application (by addons) so nothing strange there. I had a similar problem with log4net earlier. I think I resolved it by having the new dll in bin folder combined with an assembly redirect in web.config pointing to the newest version. If that doesn't work you can always downgrade your solution and do a workaround for the missing method. Reinstalling addon might also help if you added your code later.
The newer version of JSON.NET is already in the bin folder and there is a redirect in web.config. But that doesn't help to resolve the problem.
I had to do a workaround by changing DateTime properties to private variables, introducing string properties and serializing DateTime variables to strings in their getters, and removing the code with DateFormatString.
The problem is that one can develop something using newer version of library and discover it won't work only at runtime. That's really inconvienient. EPiServer would include some logic to warn (preferably at compile time) that two different versions of the same library are present which can cause conflicts.
The idea is that you should never have two dlls in both bin and modulesbin in the first place. Addon dependencies should take care of that in the best of worlds. Obviously it failed in this case...