Create a web.config that re-enables static file access protection for files under the tenant's RecipeJournal folder. Filenames are GUIDs and not easy to predict, and by default we don't put sensitive information in the journal.

However it is possible custom step handlers can decide to write out to the journal as well, that's why this was needed. --HG-- branch : dev
2025-10-21 03:14:10 +08:00 · 2011-02-23 10:34:50 -08:00
parent ffc276a1fe
commit d97e90f402
1 changed files with 29 additions and 1 deletions
--- a/src/Orchard.Web/Modules/Orchard.Recipes/Services/RecipeJournalManager.cs
+++ b/src/Orchard.Web/Modules/Orchard.Recipes/Services/RecipeJournalManager.cs
@@ -11,6 +11,22 @@ namespace Orchard.Recipes.Services {
    public class RecipeJournalManager : IRecipeJournal {
        private readonly IStorageProvider _storageProvider;
        private readonly string _recipeJournalFolder = "RecipeJournal" + Path.DirectorySeparatorChar;
+        private const string WebConfig = 
+@"
+<configuration>
+  <system.web>
+    <httpHandlers>
+      <clear />
+      <add path=""*"" verb=""*"" type=""System.Web.HttpNotFoundHandler""/>
+    </httpHandlers>
+  </system.web>
+  <system.webServer>
+    <handlers accessPolicy=""Script"">
+      <clear/>
+      <add name=""NotFound"" path=""*"" verb=""*"" type=""System.Web.HttpNotFoundHandler"" preCondition=""integratedMode"" requireAccess=""Script""/>
+    </handlers>
+  </system.webServer>
+</configuration>";

        public RecipeJournalManager(IStorageProvider storageProvider) {
            _storageProvider = storageProvider;
@@ -78,7 +94,11 @@ namespace Orchard.Recipes.Services {
            IStorageFile journalFile;
            var journalPath = Path.Combine(_recipeJournalFolder, executionId);
            try {
-                _storageProvider.TryCreateFolder(_recipeJournalFolder);
+                if (_storageProvider.TryCreateFolder(_recipeJournalFolder)) {
+                    var webConfigPath = Path.Combine(_recipeJournalFolder, "web.config");
+                    var webConfigFile = _storageProvider.CreateFile(webConfigPath);
+                    WriteWebConfig(webConfigFile);
+                }
                journalFile = _storageProvider.GetFile(journalPath);
            }
            catch (ArgumentException) {
@@ -109,6 +129,14 @@ namespace Orchard.Recipes.Services {
            }
        }

+        private static void WriteWebConfig(IStorageFile webConfigFile) {
+            using (var stream = webConfigFile.OpenWrite()) {
+                using (var tw = new StreamWriter(stream)) {
+                    tw.Write(WebConfig);
+                }
+            }
+        }
+
        private static RecipeStatus ReadStatusFromJournal(XElement xElement) {
            switch (xElement.Element("Status").Value) {
                case "Started":