R12 SR2 code missing from Base.Master

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

R12 SR2 code missing from Base.Master

Post by jguengerich » Wed Nov 29, 2017 8:17 am

EDIT: Oops, looks like the code in \Layouts\Base.Master.cs has been simplified and AntiXsrfUserName is no longer needed. False alarm :) .

It appears that the following line of code is missing from \Layouts\Base.Master

Code: Select all

    <asp:HiddenField ID="AntiXsrfUserName" runat="server" />
Shouldn't it be after this line (line 34)?

Code: Select all

    <asp:HiddenField ID="AntiXsrfToken" runat="server" />
I'm basing this on the Base.Master file that was included in the XSS patch that was issued a while ago.
Jay

nadeem
Captain (CAPT)
Captain (CAPT)
Posts: 258
Joined: Tue Jul 31, 2012 7:23 pm

Re: R12 SR2 code missing from Base.Master

Post by nadeem » Wed Nov 29, 2017 10:26 pm

Jay, yes that was actually the left over unused code in the patch which has been just removed from the R2 SR2. So functionally both codes (the code provided as a patch and R2 SR2 code) are same since Anti-XSRF token is validated using only AntiXsrfToken value.

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: R12 SR2 code missing from Base.Master

Post by jmestep » Wed Nov 29, 2017 11:00 pm

Nadeem,
Since you are looking at this I'll ask this related question. I had asked it a couple of days ago on a different post. Sites with the patch are getting this error and merchants are asking about it. We don't know if the patch is a problem and don't want to leave it on if it is but don't want to take it off if it isn't.
An error has occured at https://www.thegpsstore.com/category.aspx?categoryid=86
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedData
at System.Web.Security.MachineKey.Decode(String encodedData, MachineKeyProtection protectionOption)
at AbleCommerce.Layouts.Base.Master_Page_PreLoad(Object sender, EventArgs e)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Web.UI.Page.OnPreLoad(EventArgs e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.category_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

nadeem
Captain (CAPT)
Captain (CAPT)
Posts: 258
Joined: Tue Jul 31, 2012 7:23 pm

Re: R12 SR2 code missing from Base.Master

Post by nadeem » Thu Nov 30, 2017 3:47 am

Judy, I spent some time figuring this out but not able to reproduce the issue. From the exception, it appears that the the hidden field value is not decoded for some reason. Do you have some specific scenario where this is happening? The patch should be correct as the same changes we have provided for R10 SR1, R11 SR1, R12 SR1 and R12 SR2 and no one else have reported this type of issue.

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: R12 SR2 code missing from Base.Master

Post by jmestep » Sun Dec 03, 2017 11:45 pm

We haven't been able to reproduce the issue. Another site saw it a lot on the basket page. We have seen it on R9,R11,R12 sites. (I created a patch for R9 like the others because AC didn't issue one and we have a lot of R9 sites)
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

Post Reply