Error: Method Through Reflection is Not Allowed after Applying Sitecore Hotfix
Recently, Sitecore security bulletin SC2023-003-587441 addresses Critical (582720) and High (584731) severity vulnerabilities in Sitecore software and provides the cumulative hotfix for the same.
I have applied this hotfix in my solution and deployed it, but I have encountered the following error while publishing the Sitecore Items.
| Server Error in '/' Application. | |
| Calling *********.****.sitecore.shell.Applications.Dialogs.Publish.PublishForm.StartPublisher method through reflection is not allowed. | |
| Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. | |
| Exception Details: Sitecore.Exceptions.AccessDeniedException: Calling *********.****.sitecore.shell.Applications.Dialogs.Publish.PublishForm.StartPublisher method through reflection is not allowed. | |
| Source Error: | |
| An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. | |
| Stack Trace: | |
| [AccessDeniedException: Calling *********.****.sitecore.shell.Applications.Dialogs.Publish.PublishForm.StartPublisher method through reflection is not allowed.] | |
| Sitecore.Reflection.MethodFilter.Filter(MethodInfo method) +1167 | |
| Sitecore.Shell.Framework.Commands.CommandManager.GetMethodCommand(String command) +701 | |
| Sitecore.Web.UI.Sheer.ClientPage.Dispatch(String command) +35 | |
| Sitecore.Web.UI.Sheer.ClientPage.RaiseEvent() +144 | |
| Sitecore.Web.UI.Sheer.ClientPage.OnPreRender(EventArgs e) +806 | |
| System.Web.UI.Control.PreRenderRecursiveInternal() +200 | |
| System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +7479 |
If you are looking for how to install the Sitecore Cumulative hotfix OnPrem and PaaS instances, see the blog post: Sitecore Cumulative Hotfixes Installation on OnPrem and PaaS
Solution:
This Security Hotfix might add a security layer that prevents the execution of unexpected methods through reflection. As I have customized the publishing method for Sitecore items, I am getting this issue while publishing the Sitecore items.
- Go to the path "\App_Config\Sitecore\CMS.Core\" and open the "Sitecore.Reflection.Filtering.config" file.
-
Add the method name to the "Sitecore.Reflection.Filtering.config" file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
<allowedMethods> <!--Example: <descriptor type="SampleNameSpace.MyClass" methodName="MyMethod" assemblyName="MyAssembly"/> --> <!--your allowed methods--> <descriptor type="{assemblyName}.sitecore.shell.Applications.Dialogs.Publish.PublishForm" methodName="StartPublisher" assemblyName="{assemblyName}"/> </allowedMethods> -
Add a method pattern to the "Sitecore.Reflection.Filtering.config" file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
<allowedPatterns> <pattern value="^Sitecore\..*,Sitecore\..*$"/> <!--your allowed patterns--> <pattern value="^{solutionName}\..*,{solutionName}\..*$"/> </allowedPatterns> Where the "value" is a regular expression matched against the method name string in the format "NameSpace.Class.Method, AssemblyName".
Happy Sitecoreing 😊
Thanks so much for this, I applied it as a patch file :)
ReplyDeleteI am getting error while trying to ctrl s, after applying this patch
ReplyDelete