Update available

Topics: Announcements
Coordinator
Dec 20, 2011 at 10:03 PM

Dear Orchard community members,

We just published an updated version of Orchard. This fixes an issue that could have enabled a form of open redirection attack. We made it very easy for existing Orchard instances to be upgraded by providing patch files for each version from 1.0 to 1.3:

· From 1.3.9 to 1.3.10: http://orchard.codeplex.com/releases/69668/download/316960

· From 1.2.41 to 1.2.42: http://orchard.codeplex.com/releases/65184/download/316961

· From 1.1.30 to 1.1.31: http://orchard.codeplex.com/releases/59918/download/316962

· From 1.0.20 to 1.0.21: http://orchard.codeplex.com/releases/50197/download/316966

To apply the patch, extract the zip file, backup your existing version of the dll that is in the bin directory of your site and then copy the new dll into bin.

Developer
Dec 21, 2011 at 5:29 PM
Edited Dec 21, 2011 at 5:29 PM

Am I correctly assuming that the patch in changeset 7a0275114b28 will make all calls to RedirectLocal() safe, without the preliminary IsLocalUrl check?

Coordinator
Dec 21, 2011 at 6:05 PM

True. When you want to redirect using ReturnUrl, always use RedirectLocal(). It uses IsLocalUrl internally, plus some other checks.

Developer
Dec 21, 2011 at 6:27 PM

Kewl, thanks.