Simptomai
Įdiegus bet kurį iš rugsėjo " 2018" .NET Framework saugos naujinimų , kad išspręstumėte cve-2018-8421 (".NET Framework" nuotolinio kodo vykdymo pažeidžiamumas), "SharePoint out-of-the-box" darbo eigos nustos veikti. Kai iškyla ši problema, užregistruojamas klaidos įrašas, panašus į šį:
<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…
Klaidos įrašas rodo, kad System. CodeDom. CodeBinaryOperatorExpression nėra įtraukta į autorizuotas rūšis.
Daugiau informacijos apie rugsėjo ".NET" saugos naujinimus rasite šiame "Microsoft .net" interneto dienoraščio puslapyje.
Priežastis
Darbo eigos Foundation (WF) veikia tik tada, kai visi priklausomų tipų ir mazgai yra įgalioti .NET config faile (arba pridedamas tiesiogiai per kodą) Šiame medyje:
<configuration>
<System.Workflow.ComponentModel.WorkflowCompiler>
<authorizedTypes>
<targetFx>
Tačiau po naujinimo kai kurie tipai, kuriuos naudoja "SharePoint" out-of-Box darbo eigos, kurios anksčiau nebuvo reikalingos, dabar būtini.
Sprendimas
Norėdami išspręsti šią problemą, taikykite reikiamus saugos ir ne saugos naujinimus iš šių žinių bazės straipsnių:
4461501 "SharePoint Enterprise Server 2016" saugos naujinio aprašas: lapkričio 13, 2018 4461508 lapkričio 13 d. 2018, Kaupiamasis naujinimas, skirtas "SharePoint Foundation 2013" (KB4461508) 4461510 lapkričio 13 d. 2018, Kaupiamasis naujinimas, skirtas "SharePoint Enterprise Server 2013" (KB4461510) 4011713 lapkričio 13 d., 2018, naujinimas, skirtas "SharePoint Foundation 2010" (KB4011713) 4461528 lapkričio 13 d. 2018, Kaupiamasis naujinimas, skirtas "SharePoint Server 2010" (KB4461528)
Pastabos
-
Įdiegus naujinimą, "SharePoint" produktų konfigūravimo vediklis turi būti paleidžiamas, kad pataisa būtų visiškai pritaikyta.
-
Kai kurios trečiosios šalies arba pasirinktinio darbo eigos veiksmai gali turėti papildomų priklausomybių. Jei susiduriate su problema, kuri yra panaši į šią problemą, bet šiame straipsnyje neaptariama, susisiekite su darbo eigos veiksmų kūrėju dėl pagalbos.
Sprendimas
Norėdami išspręsti šią problemą, tiesiogiai įtraukite reikiamus tipus į Web. config failą visose programose. Nors rankiniu būdu pateikiami veiksmai, rekomenduojame naudoti scenarijų metodą.
Norėdami išspręsti šią problemą, tiesiogiai įtraukite reikiamus tipus į visų taikomųjų programų Web. config failus.
"SharePoint 2013" ir naujesnėse versijose
Jei turite "SharePoint" 2013 ir vėlesnes versijas, įtraukite šias eilutes:
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
"SharePoint" versijos, senesnės nei "SharePoint 2013"
Jei esate anksčiau nei 2013 "SharePoint" versijose, pridėkite šias eilutes vietoj:
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
Rekomenduojame paleisti šį scenarijų vietoj to, kad tiesiogiai modifikuojant esamus failus.
Pastaba. Kai kurie trečiosios šalies darbo eigos varikliai gali reikalauti įtraukti papildomų tipų. Jei taip ir yra, susisiekite su tiekėju, kad būtų pateikta informacija apie reikiamus tipus, tada atitinkamai pakoreguokite scenarijų.
Toliau pateiktas scenarijaus pakeitimas Web. config visoms žiniatinklio programoms, kad įtrauktumėte reikiamus įrašus. Šis scenarijus įtraukia šių tipų esamas žiniatinklio programas ir taikomąsias programas, sukurtas po scenarijaus. Scenarijus turi būti vykdomas tik vieną kartą iš bet kurio žiniatinklio išorinio serverio (jis atnaujins visus serverius).
<#
This script adds the entries to all web.config files for all web applications in the farm.
Run this script as Farm Administrator in one of the WFEs.
This script has to run only one time.
SUMMARY:
This script uses the native SharePoint SPWebConfigModification API to deploy new updates to the web.config file for each web application on each server in the farm. Servers that are added at a later date will also get the updates applied because the API configuration is persisted in the config database. This API does not update the web.config for the central administration web application.
If you are running workflows on the central admin web application, you will have to manually update the web.config by using the steps in the referenced blog.
==============================================================
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null
function Add-CodeDomAuthorizedType
{
<#
.Synopsis
Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
.DESCRIPTION
Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
.EXAMPLE
Add-CodeDomAuthorizedType
#>
[CmdletBinding()]
param
(
)
begin
{
$farmMajorVersion = (Get-SPFarm -Verbose:$false ).BuildVersion.Major
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$typeNames = @( "CodeBinaryOperatorExpression", "CodePrimitiveExpression", "CodeMethodInvokeExpression", "CodeMethodReferenceExpression", "CodeFieldReferenceExpression","CodeThisReferenceExpression", "CodePropertyReferenceExpression")
}
process
{
if( @($contentService.WebConfigModifications | ? { $_.Name -eq "NetFrameworkAuthorizedTypeUpdate" }).Count -gt 0 )
{
Write-Warning "Existing NetFrameworkAuthorizedTypeUpdate entries found, this script has to be run only one time per farm."
return
}
if( $farmMajorVersion -le 14 ) # 2010, 2007
{
foreach( $typeName in $typeNames )
{
# System, Version=2.0.0.0
$netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$netFrameworkConfig.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes"
$netFrameworkConfig.Name = "authorizedType[@Assembly='System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName
$netFrameworkConfig.Owner = "NetFrameworkAuthorizedTypeUpdate"
$netFrameworkConfig.Sequence = 0
$netFrameworkConfig.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
$netFrameworkConfig.Value = '<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName
$contentService.WebConfigModifications.Add($netFrameworkConfig);
}
}
else # 2013+
{
foreach( $typeName in $typeNames )
{
# System, Version=4.0.0.0
$netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$netFrameworkConfig.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx"
$netFrameworkConfig.Name = "authorizedType[@Assembly='System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName
$netFrameworkConfig.Owner = "NetFrameworkAuthorizedTypeUpdate"
$netFrameworkConfig.Sequence = 0
$netFrameworkConfig.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
$netFrameworkConfig.Value = '<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName
$contentService.WebConfigModifications.Add($netFrameworkConfig);
}
}
Write-Verbose "Updating web.configs"
$contentService.Update()
$contentService.ApplyWebConfigModifications();
}
end
{
}
}
function Remove-CodeDomAuthorizedType
{
<#
.Synopsis
Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"
.DESCRIPTION
Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"
.EXAMPLE
Remove-CodeDomAuthorizedType
#>
[CmdletBinding()]
param()
begin
{
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
}
process
{
$webConfigModifications = @($contentService.WebConfigModifications | ? { $_.Owner -eq "NetFrameworkAuthorizedTypeUpdate" })
foreach ( $webConfigModification in $webConfigModifications )
{
Write-Verbose "Found instance owned by NetFrameworkAuthorizedTypeUpdate"
$contentService.WebConfigModifications.Remove( $webConfigModification ) | Out-Null
}
if( $webConfigModifications.Count -gt 0 )
{
$contentService.Update()
$contentService.ApplyWebConfigModifications()
}
}
end
{
}
}
# The following command will get the timerjob responsible for the web.config change deployment
# Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification" }
# The following command will make the appropriate changes
Add-CodeDomAuthorizedType
# Remove the following command if you have to remove the web.config updates, you can use this function to retract the changes
# Remove-CodeDomAuthorizedType