Page 1 of 1
R12 SR2 code missing from Base.Master
Posted: Wed Nov 29, 2017 8:17 am
by jguengerich
EDIT: Oops, looks like the code in \Layouts\Base.Master.cs has been simplified and AntiXsrfUserName is no longer needed. False alarm
.
It appears that the following line of code is missing from \Layouts\Base.Master
Code: Select all
<asp:HiddenField ID="AntiXsrfUserName" runat="server" />
Shouldn't it be after this line (line 34)?
Code: Select all
<asp:HiddenField ID="AntiXsrfToken" runat="server" />
I'm basing this on the Base.Master file that was included in the XSS patch that was issued a while ago.
Re: R12 SR2 code missing from Base.Master
Posted: Wed Nov 29, 2017 10:26 pm
by nadeem
Jay, yes that was actually the left over unused code in the patch which has been just removed from the R2 SR2. So functionally both codes (the code provided as a patch and R2 SR2 code) are same since Anti-XSRF token is validated using only AntiXsrfToken value.
Re: R12 SR2 code missing from Base.Master
Posted: Wed Nov 29, 2017 11:00 pm
by jmestep
Nadeem,
Since you are looking at this I'll ask this related question. I had asked it a couple of days ago on a different post. Sites with the patch are getting this error and merchants are asking about it. We don't know if the patch is a problem and don't want to leave it on if it is but don't want to take it off if it isn't.
An error has occured at
https://www.thegpsstore.com/category.aspx?categoryid=86
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedData
at System.Web.Security.MachineKey.Decode(String encodedData, MachineKeyProtection protectionOption)
at AbleCommerce.Layouts.Base.Master_Page_PreLoad(Object sender, EventArgs e)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Web.UI.Page.OnPreLoad(EventArgs e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.category_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Re: R12 SR2 code missing from Base.Master
Posted: Thu Nov 30, 2017 3:47 am
by nadeem
Judy, I spent some time figuring this out but not able to reproduce the issue. From the exception, it appears that the the hidden field value is not decoded for some reason. Do you have some specific scenario where this is happening? The patch should be correct as the same changes we have provided for R10 SR1, R11 SR1, R12 SR1 and R12 SR2 and no one else have reported this type of issue.
Re: R12 SR2 code missing from Base.Master
Posted: Sun Dec 03, 2017 11:45 pm
by jmestep
We haven't been able to reproduce the issue. Another site saw it a lot on the basket page. We have seen it on R9,R11,R12 sites. (I created a patch for R9 like the others because AC didn't issue one and we have a lot of R9 sites)