CON-920 - Edit Form - Post 4.1.5 Security Fix

Created by Warren Buckley 07 Mar 2016, 09:00:02 Updated by Warren Buckley 29 Aug 2017, 07:18:01

Tags: Needs Docs Unscheduled

Some users still require the functionality of editing a form once it has been posted. With 4.1.5 security issue remove this functionality altogether. Need to ensure whatever fix to bring this back does not open a can of worms.

Note: This has been added to Sprint10, due to a Gold Partner Support Ticket as an unscheduled issue/work item

Comments

Warren Buckley 16 Mar 2016, 14:42:03

OK added a new Config bool & added into XML config file. See granular commits for notes in the PR ttps://github.com/umbraco/Forms/pull/30 /cc @Shandem for re-testing


Stephan 31 Mar 2016, 09:52:57

Merged.


Warren Buckley 30 Aug 2016, 08:35:45

Notes

In UmbracoForms.config there is a new setting AllowEditableFormSubmissions which needs to be true. This then allows the page with the form on to be reloaded with a form submission, which can be edited & amended by a user and re-submitted.

With the setting enabled you will need to append the following querystring for that page that contains the form

?recordId=GUIDofEntrySubmission


Lee Cichanowicz 21 Mar 2017, 09:06:42

@warren.buckley This gives me a YSOD. My query string: ?recordId=4a71af07-8585-42f6-8ed0-782079474333

Server Error in '/' Application.

Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

Line 15: } Line 16: Line 17: Html.RenderAction("Render", "UmbracoForms", new ); Line 18: }

Source File: d:\home\site\wwwroot\Views\MacroPartials\InsertUmbracoForm.cshtml    Line: 17

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.] Umbraco.Forms.Data.Storage.RecordFieldStorage.GetAllRecordFields(Record record, Form form) +221 Umbraco.Forms.Data.Storage.RecordStorage.GetRecordByUniqueId(Guid uniqueId, Form form) +1563 Umbraco.Forms.Web.Controllers.UmbracoFormsController.GetRecord(Guid recordId, Form form) +129 Umbraco.Forms.Web.Controllers.UmbracoFormsController.Render(Guid formId, Nullable1 recordId, String view, String mode) +1114 lambda_method(Closure , ControllerBase , Object[] ) +314 System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +157 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27 System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22 System.Web.Mvc.Async.WrappedAsyncResult2.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32 System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +50 System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225 System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225 System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225 System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225 System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34 System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26 System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100 System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27 System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36 System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +22 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26 System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10 System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28 System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9 System.Web.Mvc.<>c__DisplayClassa.<EndProcessRequest>b__9() +22 System.Web.Mvc.<>c__DisplayClass4.<Wrap>b__3() +10 System.Web.Mvc.ServerExecuteHttpHandlerWrapper.Wrap(Func1 func) +27 System.Web.Mvc.ServerExecuteHttpHandlerWrapper.Wrap(Action action) +64 System.Web.Mvc.ServerExecuteHttpHandlerAsyncWrapper.EndProcessRequest(IAsyncResult result) +71 System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) +1436

[HttpException (0x80004005): Error executing child request for handler 'System.Web.Mvc.HttpHandlerUtil+ServerExecuteHttpHandlerAsyncWrapper'.] System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) +3428452 System.Web.HttpServerUtility.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage) +76 System.Web.HttpServerUtility.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm) +29 System.Web.HttpServerUtilityWrapper.Execute(IHttpHandler handler, TextWriter writer, Boolean preserveForm) +24 System.Web.Mvc.Html.ChildActionExtensions.ActionHelper(HtmlHelper htmlHelper, String actionName, String controllerName, RouteValueDictionary routeValues, TextWriter textWriter) +463 System.Web.Mvc.Html.ChildActionExtensions.RenderAction(HtmlHelper htmlHelper, String actionName, String controllerName, Object routeValues) +45 ASP._Page_Views_MacroPartials_InsertUmbracoForm_cshtml.Execute() in d:\home\site\wwwroot\Views\MacroPartials\InsertUmbracoForm.cshtml:17 System.Web.WebPages.WebPageBase.ExecutePageHierarchy() +198 System.Web.Mvc.WebViewPage.ExecutePageHierarchy() +105 System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) +90 System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance) +235 System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer) +107 Umbraco.Core.Profiling.ProfilingView.Render(ViewContext viewContext, TextWriter writer) +113 Umbraco.Web.Mvc.ControllerExtensions.RenderViewResultAsString(ControllerBase controller, ViewResultBase viewResult) +200 Umbraco.Web.Macros.PartialViewMacroEngine.Execute(MacroModel macro, IPublishedContent content) +613 Umbraco.Web.Macros.PartialViewMacroEngine.Execute(MacroModel macro, INode node) +125 umbraco.macro.LoadPartialViewMacro(MacroModel macro) +50 umbraco.macro.renderMacro(Hashtable pageElements, Int32 pageId) +1177 Umbraco.Web.UmbracoComponentRenderer.RenderMacro(macro m, IDictionary2 parameters, page umbracoPage) +360 Umbraco.Web.UmbracoComponentRenderer.RenderMacro(String alias, IDictionary2 parameters, page umbracoPage) +72 Umbraco.Web.UmbracoComponentRenderer.RenderMacro(String alias, IDictionary2 parameters) +41 Umbraco.Web.UmbracoHelper.RenderMacro(String alias, Object parameters) +52 ASP._Page_Views_Shared__GlobalHeader_cshtml.Execute() in d:\home\site\wwwroot\Views\Shared\_GlobalHeader.cshtml:76 System.Web.WebPages.WebPageBase.ExecutePageHierarchy() +198 System.Web.Mvc.WebViewPage.ExecutePageHierarchy() +105 System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) +90 System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance) +235 System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer) +107 Umbraco.Core.Profiling.ProfilingView.Render(ViewContext viewContext, TextWriter writer) +113 System.Web.Mvc.HtmlHelper.RenderPartialInternal(String partialViewName, ViewDataDictionary viewData, Object model, TextWriter writer, ViewEngineCollection viewEngineCollection) +277 System.Web.Mvc.Html.PartialExtensions.Partial(HtmlHelper htmlHelper, String partialViewName, Object model, ViewDataDictionary viewData) +91 System.Web.Mvc.Html.PartialExtensions.Partial(HtmlHelper htmlHelper, String partialViewName) +32 ASP._Page_Views_Shared__LayoutGlobal_cshtml.Execute() in d:\home\site\wwwroot\Views\Shared\_LayoutGlobal.cshtml:83 System.Web.WebPages.WebPageBase.ExecutePageHierarchy() +198 System.Web.Mvc.WebViewPage.ExecutePageHierarchy() +105 System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) +90 System.Web.WebPages.<>c__DisplayClass3.<RenderPageCore>b__2(TextWriter writer) +232 System.Web.WebPages.HelperResult.WriteTo(TextWriter writer) +10 System.Web.WebPages.WebPageBase.Write(HelperResult result) +80 System.Web.WebPages.WebPageBase.RenderSurrounding(String partialViewName, Action1 body) +63 System.Web.WebPages.WebPageBase.PopContext() +237 System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) +98 System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance) +235 System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer) +107 Umbraco.Core.Profiling.ProfilingView.Render(ViewContext viewContext, TextWriter writer) +113 System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context) +290 System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult) +13 System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult) +56 System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult) +420 System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult) +420 System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult) +420 System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList1 filters, ActionResult actionResult) +52 System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +173 System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100 System.Web.Mvc.Async.WrappedAsyncResult1.CallEndDelegate(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27 System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36 System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +22 System.Web.Mvc.Async.WrappedAsyncResultBase1.End() +49 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26 System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10 System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21 System.Web.Mvc.Async.WrappedAsyncVoid1.CallEndDelegate(IAsyncResult asyncResult) +29 System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28 System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9765121 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155


Warren Buckley 21 Mar 2017, 09:10:27

Hi @lxcichanowicz Can you confirm 100% that the record ID/GUID exists for that form? You can see entries in the backoffice and see its ID/GUID when viewing the entry in detail.

Thanks, Warren


RunnicFusion 25 Apr 2017, 08:20:49

When enabling this setting my form won't submit. I can view the form with filled-in values from the submit (trough the recordId).


Lee Cichanowicz 25 Apr 2017, 13:21:56

@warren.buckley Yes, I have confirmed that the Unique Id exists. I copied it from the form entry in the back office, and pasted it in the URL of the public-facing page that has the form.


Warren Buckley 25 Apr 2017, 13:55:05

OK @lxcichanowicz I can't know for sure but looking at the stacktrace with the method Umbraco.Forms.Data.Storage.RecordFieldStorage.GetAllRecordFields a null reference exception.

Does the form submission have any special data/submission or lack of data perhaps?

Alternatively for now - have you tried retrieving the form submission using the API methods in a view or controller just to see if you can retrieve the record successfully.

using (var recordStorage = new RecordStorage())
{
    var record = recordStorage.GetRecordByUniqueId(Guid.Parse("GUID-HERE"));

    foreach (var field in record.RecordFields)
    {
        //Do something with record field data & verify submission is OK
        var fieldData = field.Value.ValuesAsString();

    }
}

This way we can determine if there is a bug.


Lee Cichanowicz 25 Apr 2017, 14:20:45

@warren.buckley The form fields match between the back office and the public page. I have two forms in the site; both YSOD when I try this.

I'll try the API ASAP.


Carmen Lazar 28 Aug 2017, 14:05:08

@warren.buckley I am using Umbraco Forms 6.0.1 and the records still cannot be edited. I can get the values of the record I'm trying to change in the form on the page, I change the value and it submits without errors but it never actually updates the record values.


Warren Buckley 29 Aug 2017, 07:18:01

@carmen@kruso.dk this is due to another problem that is fixed & due in 6.0.3 http://issues.umbraco.org/issue/CON-1344

If you need it immediately I recommend a nightly build http://nightly.umbraco.org/?container=umbraco-forms-nightlies


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty:

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 4.1.5

Due in version: 4.3.0

Sprint: Sprint 12

Story Points:

Cycle: