Security patch for MSA 2416728

2025-10-14 19:04:51 +08:00 · 2010-09-20 16:50:12 -07:00
parent 337e8e15e1
commit 7ba469cd9a
8 changed files with 102 additions and 11 deletions
--- a/src/Orchard.Azure/Orchard.Azure.Web/Error.aspx
+++ b/src/Orchard.Azure/Orchard.Azure.Web/Error.aspx
@@ -0,0 +1,27 @@
+<%@ Page Language="C#" AutoEventWireup="true" %>
+<%@ Import Namespace="System.Security.Cryptography" %>
+<%@ Import Namespace="System.Threading" %>
+
+<script runat="server">
+   void Page_Load() {
+      byte[] delay = new byte[1];
+      RandomNumberGenerator prng = new RNGCryptoServiceProvider();
+
+      prng.GetBytes(delay);
+      Thread.Sleep((int)delay[0]);
+        
+      IDisposable disposable = prng as IDisposable;
+      if (disposable != null) { disposable.Dispose(); }
+    }
+</script>
+
+<html>
+<head id="Head1" runat="server">
+    <title>Error</title>
+</head>
+<body>
+    <div>
+        An error occurred while processing your request.
+    </div>
+</body>
+</html>
--- a/src/Orchard.Azure/Orchard.Azure.Web/Orchard.Azure.Web.csproj
+++ b/src/Orchard.Azure/Orchard.Azure.Web/Orchard.Azure.Web.csproj
@@ -146,6 +146,7 @@
    <Compile Include="WebRole.cs" />
  </ItemGroup>
  <ItemGroup>
+    <Content Include="Error.aspx" />
    <Content Include="Global.asax" />
  </ItemGroup>
  <ItemGroup>
--- a/src/Orchard.Azure/Orchard.Azure.Web/Web.config
+++ b/src/Orchard.Azure/Orchard.Azure.Web/Web.config
@@ -87,7 +87,7 @@
            it enables developers to configure html error pages 
            to be displayed in place of a error stack trace.
    -->
-    <customErrors mode="Off"/>
+    <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx"/>
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
      <namespaces>
        <add namespace="System.Web.Mvc"/>
@@ -100,6 +100,16 @@
      </namespaces>
    </pages>
    <httpHandlers>
+      <!-- Explicitly remove not necessary handlers -->
+      <remove path="eurl.axd" verb="*" />
+      <remove path="trace.axd" verb="*" />
+      <remove path="WebResource.axd" verb="*" />
+      <remove path="*_AppService.axd" verb="*" />
+      <remove path="ScriptResource.axd" verb="*" />
+      <remove path="*.rem" verb="*" />
+      <remove path="*.xoml" verb="*" />
+      <remove path="*.xamlx" verb="*" />
+
      <add verb="*" path="*.mvc" validate="false" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    </httpHandlers>
  </system.web>
@@ -113,6 +123,16 @@
    <modules runAllManagedModulesForAllRequests="true">
    </modules>
    <handlers>
+      <!-- Explicitly remove not necessary handlers -->
+      <remove path="eurl.axd" verb="*" />
+      <remove path="trace.axd" verb="*" />
+      <remove path="WebResource.axd" verb="*" />
+      <remove path="*_AppService.axd" verb="*" />
+      <remove path="ScriptResource.axd" verb="*" />
+      <remove path="*.rem" verb="*" />
+      <remove path="*.xoml" verb="*" />
+      <remove path="*.xamlx" verb="*" />
+
      <remove name="MvcHttpHandler"/>
      <remove name="UrlRoutingHandler"/>
      <add name="MvcHttpHandler" preCondition="integratedMode" verb="*" path="*.mvc" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
--- a/src/Orchard.Specs/Orchard.Specs.csproj
+++ b/src/Orchard.Specs/Orchard.Specs.csproj
@@ -182,6 +182,7 @@
    </Content>
    <Content Include="Hosting\Orchard.Web\Core\Web.config">
      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+      <SubType>Designer</SubType>
    </Content>
    <Content Include="Hosting\Orchard.Web\Themes\Web.config">
      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
--- a/src/Orchard.Web/Error.aspx
+++ b/src/Orchard.Web/Error.aspx
@@ -0,0 +1,27 @@
+<%@ Page Language="C#" AutoEventWireup="true" %>
+<%@ Import Namespace="System.Security.Cryptography" %>
+<%@ Import Namespace="System.Threading" %>
+
+<script runat="server">
+   void Page_Load() {
+      byte[] delay = new byte[1];
+      RandomNumberGenerator prng = new RNGCryptoServiceProvider();
+
+      prng.GetBytes(delay);
+      Thread.Sleep((int)delay[0]);
+        
+      IDisposable disposable = prng as IDisposable;
+      if (disposable != null) { disposable.Dispose(); }
+    }
+</script>
+
+<html>
+<head id="Head1" runat="server">
+    <title>Error</title>
+</head>
+<body>
+    <div>
+        An error occurred while processing your request.
+    </div>
+</body>
+</html>
--- a/src/Orchard.Web/Orchard.Web.csproj
+++ b/src/Orchard.Web/Orchard.Web.csproj
@@ -97,6 +97,7 @@
  </ItemGroup>
  <ItemGroup>
    <Content Include="Default.aspx" />
+    <Content Include="Error.aspx" />
    <Content Include="Global.asax" />
    <Content Include="Refresh.html" />
    <Content Include="Themes\Contoso\Styles\search.css" />
--- a/src/Orchard.Web/Web.config
+++ b/src/Orchard.Web/Web.config
@@ -87,7 +87,7 @@
            it enables developers to configure html error pages 
            to be displayed in place of a error stack trace.
    -->
-    <customErrors mode="Off"/>
+    <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx"/>
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
      <namespaces>
        <add namespace="System.Web.Mvc"/>
@@ -100,6 +100,16 @@
      </namespaces>
    </pages>
    <httpHandlers>
+      <!-- Explicitly remove not necessary handlers -->
+      <remove path="eurl.axd" verb="*" />
+      <remove path="trace.axd" verb="*" />
+      <remove path="WebResource.axd" verb="*" />
+      <remove path="*_AppService.axd" verb="*" />
+      <remove path="ScriptResource.axd" verb="*" />
+      <remove path="*.rem" verb="*" />
+      <remove path="*.xoml" verb="*" />
+      <remove path="*.xamlx" verb="*" />
+      
      <add verb="*" path="*.mvc" validate="false" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    </httpHandlers>
  </system.web>
@@ -113,6 +123,16 @@
    <modules runAllManagedModulesForAllRequests="true">
    </modules>
    <handlers>
+      <!-- Explicitly remove not necessary handlers -->
+      <remove path="eurl.axd" verb="*" />
+      <remove path="trace.axd" verb="*" />
+      <remove path="WebResource.axd" verb="*" />
+      <remove path="*_AppService.axd" verb="*" />
+      <remove path="ScriptResource.axd" verb="*" />
+      <remove path="*.rem" verb="*" />
+      <remove path="*.xoml" verb="*" />
+      <remove path="*.xamlx" verb="*" />
+
      <remove name="MvcHttpHandler"/>
      <remove name="UrlRoutingHandler"/>
      <add name="MvcHttpHandler" preCondition="integratedMode" verb="*" path="*.mvc" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
--- a/src/Orchard/Mvc/Results/NotFoundResult.cs
+++ b/src/Orchard/Mvc/Results/NotFoundResult.cs
@@ -1,17 +1,11 @@
+using System.Net;
+using System.Web;
 using System.Web.Mvc;

 namespace Orchard.Mvc.Results {
    public class NotFoundResult : ViewResult {
        public override void ExecuteResult(ControllerContext context) {
-            ViewName = "NotFound";
-
-            ViewData = context.Controller.ViewData;
-            TempData = context.Controller.TempData;
-
-            base.ExecuteResult(context);
-
-            context.HttpContext.Response.StatusDescription = "File Not Found";
-            context.HttpContext.Response.StatusCode = 404;
+            throw new HttpException((int)HttpStatusCode.NotFound, "Resource not found");
        }
    }
 }