This project is read-only.

Update available

Topics: Announcements
Dec 20, 2011 at 11:03 PM

Dear Orchard community members,

We just published an updated version of Orchard. This fixes an issue that could have enabled a form of open redirection attack. We made it very easy for existing Orchard instances to be upgraded by providing patch files for each version from 1.0 to 1.3:

· From 1.3.9 to 1.3.10:

· From 1.2.41 to 1.2.42:

· From 1.1.30 to 1.1.31:

· From 1.0.20 to 1.0.21:

To apply the patch, extract the zip file, backup your existing version of the dll that is in the bin directory of your site and then copy the new dll into bin.

Dec 21, 2011 at 6:29 PM
Edited Dec 21, 2011 at 6:29 PM

Am I correctly assuming that the patch in changeset 7a0275114b28 will make all calls to RedirectLocal() safe, without the preliminary IsLocalUrl check?

Dec 21, 2011 at 7:05 PM

True. When you want to redirect using ReturnUrl, always use RedirectLocal(). It uses IsLocalUrl internally, plus some other checks.

Dec 21, 2011 at 7:27 PM

Kewl, thanks.