Developer forum

Forum » CMS - Standard features » Disable calling pagetemplate in querystring due to security

Disable calling pagetemplate in querystring due to security

E-mail notifications
Hans Ravnsfjall
Hans Ravnsfjall
Reply
Posted on 23/06/2020 10:32:12

Hi

Can´t find it now, but I am pretty sure it is possible showing a page with a certain template with something like this www.mysite.com?default.aspx&id=2&template=randomtemplate.cshtml

This can result in some information being exposed, that we don´t want to be exposed.

if we eg. have a template for extranet pages, where we want some part of the page to be public,  while other parts are not public - then we use the template to check if the user is logged in or not, and if they are logged in - we render the item fields.

However, if the item fields share systemnames with fields in other items, used in totally different context - and they have another template attached, then it would be possible to expose the info we don´t want to show, by viewing the extranet page - but viewing it with another template.

Is there any way of disabling the template query for a whole solution, or for just a certain types of pages/items?

/Hans


Replies

 
Nicolai Pedersen
Posted on 23/06/2020 10:50:46
Reply

You can create a notification subscriber on page load that will disable that. But if the template is already having a conditional checking for if a user is logged in, it will also not display the fields when used in the url.

 
Hans Ravnsfjall
Hans Ravnsfjall
Posted on 23/06/2020 14:47:51
Reply

Ok, just so that I understand you correctly. If the template that is selected for the page has a check to see if you are logged in or not before showing any content, then there is no way of displaying the content with another template added through the querystring?

If that´s the case, then that´s perfect 👍🏻

/Hans

 
Hans Ravnsfjall
Hans Ravnsfjall
Posted on 23/06/2020 15:09:45
Reply

Aparantly, that is not the case. Just tested, and was able to display sensitive info by adding the layout template via querystring.

At least in the latest Dynamicweb 8 that is, but this is maybe fixed in Dynamicweb 9?

/Hans

 
Hans Ravnsfjall
Hans Ravnsfjall
Posted on 23/06/2020 15:15:29
Reply

It´s the other way around Nicolai. A different template is added to content that is meant to be only rendered with a template that has the logged-in check

/Hans

 
Nicolai Pedersen
Posted on 23/06/2020 17:20:46
Reply

You can setup permissions on the content then. Then it will not be shown to users who should not see it. 

If that cannot work for you, you have to find another approach.

 

You must be logged in to post in the forum