U4-5814 - Apply MVC 4.0.0.1 security update

Created by Sebastiaan Janssen 14 Nov 2014, 14:30:25 Updated by Shannon Deminick 28 Aug 2015, 10:25:47

Subtask of: U4-5423

Core should be released with the secure version.

Comments

Sebastiaan Janssen 14 Nov 2014, 17:02:08

Fixed in b20fc225775810aabc45559c2fc69da089d50a42 and merged into 7.2.0.


Sebastiaan Janssen 26 Nov 2014, 11:13:38

In the end we could not apply this fix as it would 100% fail on computers that do not have this windows update installed yet and there's no way of working around it as the version in the GAC is taken first (so if the update isn't applied, 4.0.0.0 from GAC will be used instead of 4.0.0.1 in the bin folder). This meant that code depending on 4.0.0.1 would just YSOD, and since we build against that version, it would alsways YSOD. The good news is that as soon as the computer DOES get 4.0.0.1 in the GAC all is well and the secure version is used automatically.


Shannon Deminick 07 May 2015, 09:38:23

I'll have to setup a VM or something, it just doesn't seem like it should fail or be possible to fail. If it's in your /bin then it will load, just like the way we can ship anything in the /bin and it will load. If they have it installed in the GAC then the GAC version will be used but that is fine as well.


Shannon Deminick 07 May 2015, 09:43:14

The rule is that if the versions match exactly, then the GAC one will be used, otherwise if it doesn't exist in the GAC the /bin one will be used. If people didn't copy in all of the assemblies we provider in our build output like the MVC ones, then it would definitely fail. I'd be interested to know how these upgrades were done to cause this to fail, any chance you know?


Sebastiaan Janssen 07 May 2015, 09:54:10

Nope, I can't remember exactly. Maybe we didn't ship the dlls properly? I remember it being an issue when just starting Umbraco from a fresh unzip and/or NuGet install. Which reminds me: you need to update the NuSpec to use the new version as well! (maybe that was the whole problem.. hmmm).


Sebastiaan Janssen 07 May 2015, 09:54:38

Ah no, that can't have been the problem, the nuspec was updated in the changeset above.


Shannon Deminick 07 May 2015, 09:59:54

Hrm, it certainly seems very strange. If the dlls are in the /bin they'll defo be used. I'll spin up a vm without the patch (if i can) and see what happens


Shannon Deminick 11 May 2015, 01:34:26

Here's what I've tested:

  • New windows 8 VM without MVC installed whatsoever (so there is no MVC in the GAC)
  • Install 7.2.4 (which contains MVC 4.0.0.0) via ZIP file + IIS
  • Upgrade to 7.2.5 (which currently contains MVC 4.0.0.1) via copying over /bin, /umbraco and /umbraco_client
  • A YSOD manifest reference error occurs -> This is because I didn't update my web.config during upgrade which requires a change of: newVersion="4.0.0.1" for the MVC assembly binding
  • Updating the web.config makes the site work and is using MVC 4.0.0.1

Next, I deleted that site and installed MVC 4.0.0.0 into the GAC, then:

  • Install 7.2.4 (which contains MVC 4.0.0.0) via ZIP file + IIS
  • Upgrade to 7.2.5 (which currently contains MVC 4.0.0.1) via copying over /bin, /umbraco and /umbraco_client
  • A more cryptic YSOD occurs: "Unable to cast object of type 'Microsoft.Web.Mvc.FixedRazorViewEngine' to type 'System.Web.Mvc.IViewEngine'" -> This is because I didn't update my web.config during upgrade which requires a change of: newVersion="4.0.0.1" for the MVC assembly binding
  • Updating the web.config makes the site work and is using MVC 4.0.0.1

I'm not sure what was going wrong with any previous tests, but having MVC 4.0.0.1 in the /bin with the assembly redirect definitely works regardless of what is in the GAC (which is expected since that is how .Net works). However I do realize this is a little intrusive for a patch release update. So lets leave out the MVC update for 7.2.5 and make the update in the core and our nuspec dependency to the 4.0.0.1 version for 7.3. @sebastiaan Sounds ok?


Priority: Normal

Type: Task

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.3.0

Sprint:

Story Points:

Cycle: