Skip to content
Permalink
Browse files Browse the repository at this point in the history
For security reasons complex types transported via in 'ModelBase.Cust…
…omProperties' must be decorated with 'CustomModelPartAttribute' now.
  • Loading branch information
muratcakir committed Aug 26, 2020
1 parent c5d88ad commit 8702c61
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 4 deletions.
Expand Up @@ -2,10 +2,10 @@

namespace SmartStore.DevTools.Models
{
[CustomModelPart]
public class BackendExtensionModel : ModelBase
{
public string Welcome { get; set; }

public int ProductId { get; set; }
}
}
Expand Up @@ -19,6 +19,7 @@ public class FeedGoogleMerchantCenterModel
public string SearchIsTouched { get; set; }
}

[CustomModelPart]
public class GoogleProductModel : ModelBase
{
public int TotalCount { get; set; }
Expand Down
10 changes: 7 additions & 3 deletions src/Presentation/SmartStore.Web.Framework/Modelling/ModelBase.cs
Expand Up @@ -6,7 +6,12 @@

namespace SmartStore.Web.Framework.Modelling
{
[Serializable]
[AttributeUsage(AttributeTargets.Class, AllowMultiple = false, Inherited = false)]
public sealed class CustomModelPartAttribute : Attribute
{
}

[Serializable]
public sealed class CustomPropertiesDictionary : Dictionary<string, object>
{
}
Expand Down Expand Up @@ -41,9 +46,8 @@ public TProperty Get<TProperty>(string key)
Guard.NotEmpty(key, nameof(key));

IDictionary<string, object> dict;
object value;

if (TryGetCustomThreadProperties(false, out dict) && dict.TryGetValue(key, out value))
if (TryGetCustomThreadProperties(false, out dict) && dict.TryGetValue(key, out var value))
{
return (TProperty)value;
}
Expand Down
Expand Up @@ -2,6 +2,7 @@
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Security;
using System.Web.Mvc;
using SmartStore.Core.Html;
using SmartStore.Web.Framework.Security;
Expand Down Expand Up @@ -82,6 +83,13 @@ private CustomPropertiesDictionary BindCustomPropertiesDictioary(ControllerConte
// Is Complex type
var modelName = key.Substring(0, key.Length - subPropertyName.Length - 1);
var valueType = GetValueType(keys, modelName, bindingContext.ValueProvider);
if (!valueType.HasAttribute<CustomModelPartAttribute>(false))
{
throw new SecurityException("For security reasons complex types in '{0}' must be decorated with the '{1}' attribute.".FormatInvariant(
typeof(CustomPropertiesDictionary).AssemblyQualifiedNameWithoutVersion(),
typeof(CustomModelPartAttribute).AssemblyQualifiedNameWithoutVersion()));
}

valueBinder = this.Binders.GetBinder(valueType);
var complexBindingContext = new ModelBindingContext
{
Expand Down

0 comments on commit 8702c61

Please sign in to comment.