Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

2010-04-29 Marek Habersack <mhabersack@novell.com>

	* PagesConfiguration.cs: make EnableViewStateMac default to
	true. Fixes bug #592428 
	Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
	Credits: Web Security Research Group (WSRG) of Hewlett Packard
	(HP)

2010-04-29  Marek Habersack  <mhabersack@novell.com>

	* PageParser.cs, Page.cs: do not ignore the EnableViewStateMac
	directive attribute. Fixes bug #592428
	Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
	Credits: Web Security Research Group (WSRG) of Hewlett Packard
	(HP)

svn path=/branches/mono-1-9-1-1/mcs/; revision=156448
  • Loading branch information...
commit c115636e0f354c3217920614182a3dfec4337541 1 parent fa2352e
Marek Habersack grendello authored
6 mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs
@@ -183,10 +183,12 @@ static CodeAssignStatement CreatePropertyAssign (string name, object value)
183 183
184 184 protected override void AddStatementsToInitMethod (CodeMemberMethod method)
185 185 {
186   -#if NET_2_0
187 186 ILocation directiveLocation = pageParser.DirectiveLocation;
188   -
189 187 CodeArgumentReferenceExpression ctrlVar = new CodeArgumentReferenceExpression("__ctrl");
  188 +
  189 + if (pageParser.EnableViewStateMacSet)
  190 + method.Statements.Add (AddLinePragma (CreatePropertyAssign (ctrlVar, "EnableViewStateMac", pageParser.EnableViewStateMac), directiveLocation));
  191 +#if NET_2_0
190 192 if (pageParser.Title != null)
191 193 method.Statements.Add (AddLinePragma (CreatePropertyAssign (ctrlVar, "Title", pageParser.Title), directiveLocation));
192 194
8 mcs/class/System.Web/System.Web.Configuration/ChangeLog
... ... @@ -1,3 +1,11 @@
  1 +2010-04-29 Marek Habersack <mhabersack@novell.com>
  2 +
  3 + * PagesConfiguration.cs: make EnableViewStateMac default to
  4 + true. Fixes bug #592428
  5 + Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
  6 + Credits: Web Security Research Group (WSRG) of Hewlett Packard
  7 + (HP)
  8 +
1 9 2008-08-20 Marek Habersack <mhabersack@novell.com>
2 10
3 11 * HttpRuntimeConfig.cs: implemented the undocumented (but
4 mcs/class/System.Web/System.Web.Configuration/PagesConfiguration.cs
@@ -38,7 +38,7 @@ class PagesConfiguration
38 38 internal bool Buffer = true;
39 39 internal PagesEnableSessionState EnableSessionState = PagesEnableSessionState.True;
40 40 internal bool EnableViewState = true;
41   - internal bool EnableViewStateMac = false;
  41 + internal bool EnableViewStateMac = true;
42 42 internal bool SmartNavigation = false;
43 43 internal bool AutoEventWireup = true;
44 44 internal bool ValidateRequest = true;
@@ -66,6 +66,8 @@ static public PagesConfiguration GetInstance (HttpContext context)
66 66 {
67 67 if (context == null)
68 68 context = HttpContext.Current;
  69 + if (context == null)
  70 + return null;
69 71 return context.GetConfig ("system.web/pages") as PagesConfiguration;
70 72 }
71 73 }
8 mcs/class/System.Web/System.Web.UI/ChangeLog
... ... @@ -1,3 +1,11 @@
  1 +2010-04-29 Marek Habersack <mhabersack@novell.com>
  2 +
  3 + * PageParser.cs, Page.cs: do not ignore the EnableViewStateMac
  4 + directive attribute. Fixes bug #592428
  5 + Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
  6 + Credits: Web Security Research Group (WSRG) of Hewlett Packard
  7 + (HP)
  8 +
1 9 2008-03-13 Marek Habersack <mhabersack@novell.com>
2 10
3 11 * TemplateParser.cs: HttpApplication.BinaryDirectories property no longer
5 mcs/class/System.Web/System.Web.UI/Page.cs
@@ -188,10 +188,15 @@ public Page ()
188 188 if (ps != null) {
189 189 asyncTimeout = ps.AsyncTimeout;
190 190 viewStateEncryptionMode = ps.ViewStateEncryptionMode;
  191 + _viewStateMac = ps.EnableViewStateMac;
191 192 } else {
192 193 asyncTimeout = TimeSpan.FromSeconds (DefaultAsyncTimeout);
193 194 viewStateEncryptionMode = ViewStateEncryptionMode.Auto;
194 195 }
  196 +#else
  197 + PagesConfiguration ps = PagesConfiguration.GetInstance (HttpContext.Current);
  198 + if (ps != null)
  199 + _viewStateMac = ps.EnableViewStateMac;
195 200 #endif
196 201 }
197 202
13 mcs/class/System.Web/System.Web.UI/PageParser.cs
@@ -44,7 +44,8 @@ namespace System.Web.UI
44 44 public sealed class PageParser : TemplateControlParser
45 45 {
46 46 PagesEnableSessionState enableSessionState = PagesEnableSessionState.True;
47   - bool enableViewStateMac = true;
  47 + bool enableViewStateMac;
  48 + bool enableViewStateMacSet;
48 49 bool smartNavigation;
49 50 bool haveTrace;
50 51 bool trace;
@@ -376,8 +377,12 @@ internal override void ProcessMainAttributes (Hashtable atts)
376 377 enable_event_validation = GetBool (atts, "EnableEventValidation", true);
377 378 maintainScrollPositionOnPostBack = GetBool (atts, "MaintainScrollPositionOnPostBack", maintainScrollPositionOnPostBack);
378 379 #endif
  380 + if (atts.ContainsKey ("EnableViewStateMac")) {
  381 + enableViewStateMac = GetBool (atts, "EnableViewStateMac", enableViewStateMac);
  382 + enableViewStateMacSet = true;
  383 + }
  384 +
379 385 // Ignored by now
380   - GetString (atts, "EnableViewStateMac", null);
381 386 GetString (atts, "SmartNavigation", null);
382 387
383 388 base.ProcessMainAttributes (atts);
@@ -458,6 +463,10 @@ protected override Type CompileIntoType ()
458 463 internal bool EnableViewStateMac {
459 464 get { return enableViewStateMac; }
460 465 }
  466 +
  467 + internal bool EnableViewStateMacSet {
  468 + get { return enableViewStateMacSet; }
  469 + }
461 470
462 471 internal bool SmartNavigation {
463 472 get { return smartNavigation; }

0 comments on commit c115636

Please sign in to comment.
Something went wrong with that request. Please try again.