Permalink
Browse files

2010-04-29 Marek Habersack <mhabersack@novell.com>

	* PagesConfiguration.cs: make EnableViewStateMac default to
	true. Fixes bug #592428 
	Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
	Credits: Web Security Research Group (WSRG) of Hewlett Packard
	(HP)

2010-04-29  Marek Habersack  <mhabersack@novell.com>

	* PageParser.cs, Page.cs: do not ignore the EnableViewStateMac
	directive attribute. Fixes bug #592428
	Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
	Credits: Web Security Research Group (WSRG) of Hewlett Packard
	(HP)

svn path=/branches/mono-1-9-1-1/mcs/; revision=156448
  • Loading branch information...
1 parent fa2352e commit c115636e0f354c3217920614182a3dfec4337541 @grendello grendello committed Apr 29, 2010
View
6 mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs
@@ -183,10 +183,12 @@ static CodeAssignStatement CreatePropertyAssign (string name, object value)
protected override void AddStatementsToInitMethod (CodeMemberMethod method)
{
-#if NET_2_0
ILocation directiveLocation = pageParser.DirectiveLocation;
-
CodeArgumentReferenceExpression ctrlVar = new CodeArgumentReferenceExpression("__ctrl");
+
+ if (pageParser.EnableViewStateMacSet)
+ method.Statements.Add (AddLinePragma (CreatePropertyAssign (ctrlVar, "EnableViewStateMac", pageParser.EnableViewStateMac), directiveLocation));
+#if NET_2_0
if (pageParser.Title != null)
method.Statements.Add (AddLinePragma (CreatePropertyAssign (ctrlVar, "Title", pageParser.Title), directiveLocation));
View
8 mcs/class/System.Web/System.Web.Configuration/ChangeLog
@@ -1,3 +1,11 @@
+2010-04-29 Marek Habersack <mhabersack@novell.com>
+
+ * PagesConfiguration.cs: make EnableViewStateMac default to
+ true. Fixes bug #592428
+ Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
+ Credits: Web Security Research Group (WSRG) of Hewlett Packard
+ (HP)
+
2008-08-20 Marek Habersack <mhabersack@novell.com>
* HttpRuntimeConfig.cs: implemented the undocumented (but
View
4 mcs/class/System.Web/System.Web.Configuration/PagesConfiguration.cs
@@ -38,7 +38,7 @@ class PagesConfiguration
internal bool Buffer = true;
internal PagesEnableSessionState EnableSessionState = PagesEnableSessionState.True;
internal bool EnableViewState = true;
- internal bool EnableViewStateMac = false;
+ internal bool EnableViewStateMac = true;
internal bool SmartNavigation = false;
internal bool AutoEventWireup = true;
internal bool ValidateRequest = true;
@@ -66,6 +66,8 @@ static public PagesConfiguration GetInstance (HttpContext context)
{
if (context == null)
context = HttpContext.Current;
+ if (context == null)
+ return null;
return context.GetConfig ("system.web/pages") as PagesConfiguration;
}
}
View
8 mcs/class/System.Web/System.Web.UI/ChangeLog
@@ -1,3 +1,11 @@
+2010-04-29 Marek Habersack <mhabersack@novell.com>
+
+ * PageParser.cs, Page.cs: do not ignore the EnableViewStateMac
+ directive attribute. Fixes bug #592428
+ Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
+ Credits: Web Security Research Group (WSRG) of Hewlett Packard
+ (HP)
+
2008-03-13 Marek Habersack <mhabersack@novell.com>
* TemplateParser.cs: HttpApplication.BinaryDirectories property no longer
View
5 mcs/class/System.Web/System.Web.UI/Page.cs
@@ -188,10 +188,15 @@ public Page ()
if (ps != null) {
asyncTimeout = ps.AsyncTimeout;
viewStateEncryptionMode = ps.ViewStateEncryptionMode;
+ _viewStateMac = ps.EnableViewStateMac;
} else {
asyncTimeout = TimeSpan.FromSeconds (DefaultAsyncTimeout);
viewStateEncryptionMode = ViewStateEncryptionMode.Auto;
}
+#else
+ PagesConfiguration ps = PagesConfiguration.GetInstance (HttpContext.Current);
+ if (ps != null)
+ _viewStateMac = ps.EnableViewStateMac;
#endif
}
View
13 mcs/class/System.Web/System.Web.UI/PageParser.cs
@@ -44,7 +44,8 @@ namespace System.Web.UI
public sealed class PageParser : TemplateControlParser
{
PagesEnableSessionState enableSessionState = PagesEnableSessionState.True;
- bool enableViewStateMac = true;
+ bool enableViewStateMac;
+ bool enableViewStateMacSet;
bool smartNavigation;
bool haveTrace;
bool trace;
@@ -376,8 +377,12 @@ internal override void ProcessMainAttributes (Hashtable atts)
enable_event_validation = GetBool (atts, "EnableEventValidation", true);
maintainScrollPositionOnPostBack = GetBool (atts, "MaintainScrollPositionOnPostBack", maintainScrollPositionOnPostBack);
#endif
+ if (atts.ContainsKey ("EnableViewStateMac")) {
+ enableViewStateMac = GetBool (atts, "EnableViewStateMac", enableViewStateMac);
+ enableViewStateMacSet = true;
+ }
+
// Ignored by now
- GetString (atts, "EnableViewStateMac", null);
GetString (atts, "SmartNavigation", null);
base.ProcessMainAttributes (atts);
@@ -458,6 +463,10 @@ protected override Type CompileIntoType ()
internal bool EnableViewStateMac {
get { return enableViewStateMac; }
}
+
+ internal bool EnableViewStateMacSet {
+ get { return enableViewStateMacSet; }
+ }
internal bool SmartNavigation {
get { return smartNavigation; }

0 comments on commit c115636

Please sign in to comment.