Vulnerability in EPiServer.Forms
we are using sessions to store certain information but when we try and view pages, using these session variables, these pages give an error that session state is not enabled. We have enabled it in the web.config. has anyone else come across this?I would appreciate feedback as soon as possible as this is holding up our development!
Yes, I have reported this and it has been accepted as Bug#54423 Compare page versions crashes when page uses session object
thanks for getting back to me. Is this something that is likely to be fixed soon or should we go ahead and assume this will be a problem for the foreseeable future
My guess is it won't be fixed until there is a CMS 6 SP1, or if that is close there's a risk it might have been reported too late and won't make it to SP1. I can't find it in the bug list now, but I never really got along with the bug list. From what I can see from other CMS 6 bugs there is not yet a version set for when they are going to be released.
I simply worked around it by removing the option to compare differences. I copied the file PageComparePlugin.ascx from the edit UI and placed the copy in my project. I then commented out the option to compare differences (it has resource key epidiff.choose.radiodiff). Then I used the virtualpathmappedprovider to replace the control in the UI with my customized version.
We have the same problem here, and the modification of PageComparePlugin solved it as you said, but I'm not getting the virtualpathmappedprovider to work.
Could you see anything wrong with this configuration?
<add showInFileManager="false" virtualName="UIMapping" virtualPath="~/episerver/CMS" bypassAccessCheck="false" name="UIMapping" type="EPiServer.Web.Hosting.VirtualPathMappedProvider,EPiServer"/> </providers>
<virtualPathMappings> <add url="~/UI/CMS/admin/mockup.aspx" mappedUrl="~/UI_Cms5/Admin/mockup.aspx"/>
<add url="~/UI/CMS/admin/OrderInfo.aspx" mappedUrl="~/UI_Cms5/Admin/OrderInfo.aspx"/>
<add url="~/UI/CMS/edit/PageCompare/PlugIn/PageComparePlugin.ascx" mappedUrl="~/UI_Cms5/Edit/PageCompare/PlugIn/PageComparePlugin.ascx"/>
I assume that your uiUrl in sitesettings is "~/UI/"? If it is "~/UI/CMS/" you are missing a "CMS/" in the urls (because of the new structure of the UI in CMS 6).
Otherwise it looks OK, but try to change the virtualPath of the provider to "~/UI/", that would be equivalent to what I have. I don't know if the difference is that your mapper is outside the structure where the mappins are, or simpli that the trailing slash is missing.
Yes the uiUrl is "~/UI/" and by removing the "CMS" from the virtualPathMappings url= it worked!
By removing CMS from the path? That is certainly not what I expected, but if it works, then yay! :)
To clarify (if anyone else reads this thread later). Say siteSettings uiUrl is "~/path/to/UI/" and the other VPP:s for UI, Utils etc are set up correctly and accordingly, then the paths to the PageComparePlugin would be:
CMS5 : ~/path/to/UI/Edit/PageCompare/Plugin/PageComparePlugin.ascx
CMS6 : ~/path/to/UI/CMS/Edit/PageCompare/Plugin/PageComparePlugin.ascx
The extra level of depth is a difference in the internal structure of the UI between CMS 5 and 6. So the pathmapping in CMS6 would be
<add url="~/path/to/UI/CMS/Edit/PageCompare/Plugin/PageComparePlugin.ascx" mappedUrl="~/CustomEdit/PageComparePlugin.ascx" />
I'm not sure about the virtualPath of the VirtualPathMappedProvider but if you are replacing files inside the UI, set it to the same as uiUrl in siteSettings:
<add showInFileManager="false" virtualName="UIFiles" virtualPath="~/path/to/UI/" bypassAccessCheck="false" name="UIMappingVPP" type="EPiServer.Web.Hosting.VirtualPathMappedProvider,EPiServer" />
You can add multiple VirtualPathMappedProvider entries if you want to map files in other locations as well. Or, I suppose, you can let the virtualPath be "~/" but that could cause it to be queried for every file, which it would of course not match but still add overhead.