Please create a method that will convert the old expressions to new format and make them re-usable again.
That is a good idea, Paul. Thank you!
We've been thinking from different perspectives, and in all cases we would like to avoid returning any of the vulnerable classes/methods (LosFormatter, BinaryFormatter) into our source code and other ways of doings this will be overwhelming and unnecessary.
I think the extension method you shared would be a very good workaround until all Filter Expressions are converted to the new format, then everyone can rid their apps from those flag raising lines of code.
@Paul, as a token of gratitude for sharing this idea, I have rewarded you with Telerik points.
Here is an example of integrating Paul's Idea for Extension Method.
Create a new Static Class in your app that will contain the extension method. The method uses the original code we removed from the source code with the Security Updates:
public static class RadFilterExtensions
{
public static void LoadLegacySettings(this Telerik.Web.UI.RadFilter filter, string state)
{
using (System.IO.MemoryStream memoryStream = new System.IO.MemoryStream())
{
var bytes = System.Convert.FromBase64String(state);
memoryStream.Write(bytes, 0, bytes.Length);
memoryStream.Seek(0, System.IO.SeekOrigin.Begin);
var savedState = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter().Deserialize(memoryStream);
filter.RootGroup.Expressions.Clear();
((System.Web.UI.IStateManager)filter.RootGroup).LoadViewState(savedState);
filter.RecreateControl();
}
}
}
When loading the settings, you can use a Try/Catch block that will first try restoring the state with the new Secure method and if it fails, falls back to the Legacy function. Important: As stated by Paul, this code should only be used until all filters are converted the new base64 format.
protected void btnLoadSettings_Click(object sender, EventArgs e)
{
string savedState = "......";
try
{
// Try the new secure function, will work if it's the correct base64
RadFilter1.LoadSettings(savedState);
}
catch (Exception)
{
// Fall back to Legacy Converter
RadFilter1.LoadLegacySettings(savedState);
}
}
Regards,
Attila Antal
Progress Telerik
Enjoyed our products? Share your experience on G2 and receive a $25 Amazon gift card for a limited time!
As a workaround you could extend the radFilter class or create an extension method to load the old base64 string. I intend to use this method to update all old base64 filters I have saved. As this was changed during a security improvement, I wouldn't use this method other than for updating any saved base64 values over to the new format.
public void LoadLegacySettings(this Telerik.Web.UI.RadFilter radFilter, string state)
Hi Raul,
Thank you for the feature request.
We recently became aware of an issue stemming from changes we implemented as part of an important security improvement. Specifically, we removed the now-unsafe BinaryFormatter with a more secure alternative. While this update was necessary to ensure a higher level of security, it appears to have caused unintended side effects that may affect the SaveSettings() and LoadSettings() functions of the RadFilter.
The filters that were saved previously were stored in a different format than the updated functions do, thus the expressions stored in previous version are no longer compatible.
We're currently researching for an approach that will allow converting the previous expressions to the new format and make it work with the latest security changes.
Regards,
Attila Antal
Progress Telerik