The post is related to the image resize vulnerability fix introduced in Sitecore 7.5. To read more about the Sitecore fix go to the Release notes page and search for ?Media request protection?. While I was holding off for a number of months on the publication of the post as it puts the attack vector in plainer sight that I would like it to be (while the community figured out how to work with Media Resizing in a neat way) – but recently I’ve seen voices raised considering turning the Media Request protection off which I hope you will not be doing after reading this post. The post will also tell you how to enable such security on your older versions of Sitecore.
So here’s the story…. At some point in Cognifide we have performed a research around Sitecore security and one of my colleagues (Marek) found out that you could easily kill any Sitecore instance by performing an image resize attack on it. While the CMS did some rudimentary checks and limited the values of height and width you could still perform an attack by harvesting the images from the site and perform multiple parallel & iterative size increase or just plain use the scale parameter to achieve any image size. A result of such attack would be a a denial of service due to 100% CPU & memory usage and would potentially allow for filling the server drive by creating the endless number of scaling calls.
Marek was even kind enough to provide a proof of concept code that confirmed the hypothesis by performing attack on a few of our internal servers. The program would load the home page; parse to find images linked from it and perform resizing of the images in a number threads.
Psst? Mike made me add the image ? supposedly without it I?m not as cool as Stephen!
Following the discovery I’ve attempted to remedy the problem and as a consequence came up with the solution which I have recently put on GitHub – ImageGuard which signs the rendered media links that use any of the resizing/scaling capabilities and filters all request that try to resize/scale, allowing the sizing only when the hash matches and provided it to Sitecore.
This solution is nowhere as complete as the one that was later provided by Sitecore – starting from version 7.5 ? still I think it?s still worth making it public to allows for older versions of Sitecore to be guarded against this type of attacks.Read the rest of this article »
November 1st, 2014 by Adam Najmanowicz | 45 Comments
A large problem with Sitecore PowerShell Extensions up to version 3.0 was the lack of proper separation of solutions provided on top of it from the core of the module. The problem is that all integrations look for scripts in the main Script Library but they look for them solely in their single libraries. The specification outlined in this blog aims at solving this issue. Read the rest of this article »
One thing I always wanted to add to the Cognifide PowerShell Console for Sitecore but never had the chance to investigate properly, was GUI and user interaction. For example in a regular PowerShell console when an irreversible action needs to be taken or one that user needs to be notified about ? a question is asked:
Unfortunately due to the stateless and non-persistent nature of HTTP connections this is not easily achievable in Sitecore Sheer environment especially since in our case a PowerShell session usually lives in a separate thread within a Sitecore Job.
I knew this had to be achievable as Sitecore allows for rich interaction with user e.g. during a package installation process but I could not find any documentation regarding this subject, and my Sitecore gurus? posts were pretty discouraging in that regard:
But heck(!) Somehow the package Installer manages to show those pesky Overwrite/Merge/Skip dialogs, right?
Not discouraged by the early discoveries, I?ve dusted my trusty copy of Reflector and dived inside the installer code. Following are the findings of my investigations and sample solutions for using them with your Jobs.
One thing I always wanted to add to the Cognifide PowerShell Console for Sitecore but never had the chance to investigate properly, was GUI and user interaction. For example in a regular PowerShell console when an irreversible action needs to be taken or one that user needs to be notified about â a question is asked:
Unfortunately due to the stateless and non-persistent nature of HTTP connections this is not easily achievable in Sitecore Sheer environment especially since in our case a PowerShell session usually lives in a separate thread within a Sitecore Job.
I knew this had to be achievable as Sitecore allows for rich interaction with user e.g. during a package installation process but I could not find any documentation regarding this subject, and my Sitecore gurusâ posts were pretty discouraging in that regard:
But heck(!) Somehow the package Installer manages to show those pesky Overwrite/Merge/Skip dialogs, right?
Not discouraged by the early discoveries, Iâve dusted my trusty copy of Reflector and dived inside the installer code. Following are the findings of my investigations and sample solutions for using them with your Jobs.
One thing I always wanted to add to the Cognifide PowerShell Console for Sitecore but never had the chance to investigate properly, was GUI and user interaction. For example in a regular PowerShell console when an irreversible action needs to be taken or one that user needs to be notified about ? a question is asked:
Unfortunately due to the stateless and non-persistent nature of HTTP connections this is not easily achievable in Sitecore Sheer environment especially since in our case a PowerShell session usually lives in a separate thread within a Sitecore Job.
I knew this had to be achievable as Sitecore allows for rich interaction with user e.g. during a package installation process but I could not find any documentation regarding this subject, and my Sitecore gurus? posts were pretty discouraging in that regard:
But heck(!) Somehow the package Installer manages to show those pesky Overwrite/Merge/Skip dialogs, right?
Not discouraged by the early discoveries, I?ve dusted my trusty copy of Reflector and dived inside the installer code. Following are the findings of my investigations and sample solutions for using them with your Jobs.
April 17th, 2013 by Adam Najmanowicz | 108 Comments
Reading some time ago the Item Buckets documentation I discovered something really cool called code data sources. We delivered something similar in our internal libraries and it proved super useful ever since. I?ve also recently read a nice article by Ronald Nieuwenhuis on NewGuid about their approach to the subject.
So what a PowerShell and Sitecore nut does when he sees stuff like that? Obviously delivers a scripted data source!
Why do that?
Just to prove that both Sitecore and PowerShell are infinitely malleable and mixable, is good enough for me, but that?s not really the reason someone other than me would be interested in it.
Delivering complex functionality based on multiple criteria. e.g. your field may need to provide different set of items to choose from based on:
user name or role (in simplest case this can be done using right management, but maybe not always possible in a more elaborate scenario)
current day or month?
In a multisite/multimarket scenario you may want to show different items for each site
based on engagement analytics parameters of the page
based on where in the tree an item exist (some of it can be done with use of a ?query:?)
anything you might want to build the code data source for?
Something that would be beyond the reach of a regular Sitecore query and potentially something that you would really need to deliver code source for. But maybe you?re not in a position to deploy that on your environment?
January 29th, 2013 by Adam Najmanowicz | 42 Comments
A while ago Jakob suggested that putting the Sitecore PowerShell Console in Visual Studio might not be a bad idea. He even provided me with the boilerplate code that served as a stub for the module (Thanks a million Jakob!).
So after some struggling on my part the new module is now on the Sitecore Marketplace. There is really not much to write about. If you like PowerShell and Sitecore Rocks you will find it pretty neat. Otherwise I?m afraid those are not the droids you are looking for
Basically what it does is: it allows you to enjoy PowerShell automation while still skipping the web interface (that effectively is why you?re using rocks, right?).
Installation is fairly straightforward. Once you download the zip file ? unpack it somewhere on your drive and run the install.bat within it. Once you restart your Visual Studio you?ll be able to do the following:
Which should result in the following outcome:
Feel free to contact me or post your questions as a comment below.
There is a lot of new stuff in the imminent 2.0 release of the PowerShell Console for Sitecore. Some of it is fairly obvious like the improved console window, some of it not so much. The aim of the console has always be to enable Sitecore developers to extend the CMS in new exciting ways. For this to happen it had to become a mini-platform on its own. So far you could use it to add scripts to ribbons and menus, write scripted tasks and execute scripts just by launching them from a URL call.
That?s extending Sitecore with PowerShell but what about PowerShell itself?
One of the coolest features introduced in 2.0 is the ability to write your own commandlets. Sure you could always use PowerShell to do it and write commandlets in script. But then the caveat was that you had to attach such commandlets to your own scripts (or put them in the initial script that would have to execute prior to the console). Now I?m talking about writing the real commandlets, just like those that come with the PowerShell console itself. Starting from 2.0 the console does not default to only attach commandlets that come with it, but can also scan other assemblies to attach your commandlets. To add your own all you have to do is well.. write them but then? all you have to do is to use the standard Sitecore include mechanism to enable the console to find them.
Including my own commandlets into Sitecore PowerShell Console
Where the type parameter is just a regular Sitecore type reference with a slight twist ? you can use wildcards in it. So with the above example, the console will scan the Cognifide.PowerShell assembly and allow you to use all the commandlet classes that are tagged appropriately.
March 31st, 2012 by Adam Najmanowicz | 30 Comments
While I?m updating it on a separate page I thought for the purpose of having a record and further tracking – it would be interesting to capture the state of the PowerShell knowledge in the Sitecore community here as well.
January 23rd, 2012 by Adam Najmanowicz | 12 Comments
Most of this post is also based on the Microsoft?s Windows PowerShell Quick Reference however despite the sharing scripting runtimes the nature of the both shells differ considerably as described in the previous post: Sitecore PowerShell Console cheat sheet ? Part 1. In all cases where it made sense I?ve converted the samples to establish them in Sitecore scenarios.
How to Write Conditional Statements
To write an If statement use code similar to this:
$page = Get-item .;
$changedBy = $page."__Updated by";
if ($changedBy -eq "")
{ "Unspecified author - a system page?" }
elseif ($changedBy -eq $me)
{ "The page has been last edited by me!" }
else
{ "The page has been last edited by "+ $changedBy }
Instead of writing a series of If statements you can use a Switch statement, which is equivalent to VBScript?s Select Case statement:
$page = Get-Item .;
switch ($page.Language) {
"en" {"This version is in English"}
"pl" {"This version is in Polish"}
"tlh-KX" {"This version is in Klingon?!"}
default {"No idea what this language is!"}
}