When AllowUnsafeUpdates doesn't do "it"....

Hi,

My name is Jonas and I work here at Bamboo as an Architect. I will try to share some of the solutions we have found to the daily "challenges" of working with SharePoint.

If you have ever tried do do the "forbidden" and update SharePoint state on a HTTP GET request you have already found the AllowUnsafeUpdates property. It's available both on the SPSite and SPWeb objects. We ran into an issue trying to update a Feature property on a GET request. The feature had site scope so we assumed that setting AllowUnsafeUpdates to true on the site before updating the property would solve the problem.

The problem was it didn't help.... So we thought, how does the ObjectModel know what type of request it is? By checking the HttpContext. Fortunately you can write to the HttpContect.Current property so we decided to set it to null before calling Update and then set it back like this:

 

This will take care of the "problem". I don't really want to promote this, since it's better to never update state on a GET request. But the technique is usable for all the places in the ObjectModel where there are security checks against the HttpContext. Now in version 3 we have the RunWithElevatedPrivileges method but it doesn't work all the time and if you are still on WSS2 this can be quite useful. Instead of creating a new AppDomain and run the code as described here, Advanced coding technique: using AppDomains to get past OM limitations you can revert to the Application pool account and reset the context.

So here's some classes you can use:

Reset the Context:

 

And put them together for WSS2:

Now you can use it like this:

Update:

Here you can find some in depth explanation of how AllowUnsafeUpdates works.

http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/

 

/Jonas


Posted May 15 2008, 01:00 AM by Jonas Nilsson

Comments

What you need to know about AllowUnsafeUpdates « SharePoint Internals - Hristo Pavlov’s Blog wrote What you need to know about AllowUnsafeUpdates « SharePoint Internals - Hristo Pavlov’s Blog
on Fri, May 16 2008 9:34 AM

Pingback from  What you need to know about AllowUnsafeUpdates « SharePoint Internals - Hristo Pavlov’s Blog

» When AllowUnsafeUpdates doesn’t cut it… mylifeinaminute.com: You can learn a lot in a minute wrote » When AllowUnsafeUpdates doesn’t cut it… mylifeinaminute.com: You can learn a lot in a minute
on Mon, Jul 21 2008 3:49 PM

Pingback from  » When AllowUnsafeUpdates doesn’t cut it… mylifeinaminute.com: You can learn a lot in a minute

Larry Cross wrote re: When AllowUnsafeUpdates doesn't do "it"....
on Mon, Sep 22 2008 3:54 PM

Hi - Question.

To enable an anonymous user to kick off a list-associated workflow in MOSS we've built a codebehind project (ref: Andrew Connell) and determined that we must use runwith elavated privs and allowunsafeupdates=true.  

In our scenario, we have a MOSS 2007 public facing Publishing site w Windows authentication.

My question is this : if we go this route, what is our exposure to exploits?  We need the capability for anonymous workflow initiation, but are we sacrificing security by allowing this?

Thanks for your help,

Larry Cross

Jonas Nilsson wrote re: When AllowUnsafeUpdates doesn't do "it"....
on Mon, Sep 22 2008 7:58 PM

Larry,

The only thing I strongly advise you to change is the requirement to set AllowUnsafeUpdates to true.

This indicates that you are starting the workflow on a HTTP GET request and thus it can be started by just creating the correct URI. This can be used by a "malicious" attacker or by your "friend" the search engine be it Google or Search server ;) You probably don't want your workflows started by the search engine.

Thanks

/Jonas

BitVector wrote AllowUnsafeUpdates
on Fri, Sep 24 2010 4:30 AM

AllowUnsafeUpdates

Add a Comment

Please sign into Bamboo Nation to leave a comment.

Blogs

    The Bamboo Team Blog
  • Home

Proud Media Sponsor of:

Subscribe by Email

Syndication

Bamboo Nation Almost Everywhere

Bamboo Solutions on Facebook

Bamboo Solutions on Google+

Bamboo Solutions on LinkedIn

Bamboo Solutions on YouTube

Bamboo Now in Alltop!

Featured in Alltop

Bamboo Solutions Corporation, 2002-2014