Simptomi
Pēc tam, kad būsit instalējis 2018 .NET Framework drošības atjauninājumus , lai atrisinātu CVE-2018-8421 (.NET Framework attālā koda izpildes ievainojamība), SharePoint gatavās darbplūsmas pārstāj darboties. Kad rodas šī problēma, tiek reģistrēts kļūdas ieraksts, kas līdzīgs šim:
<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…
Kļūdas ievadne norāda, ka System. CodeDom. CodeBinaryOperatorExpression nav iekļauta autorizētajos tipos.
Papildinformāciju par .NET drošības atjauninājumu septembri skatiet šajā Microsoft .NET emuāra lapā.
Cēlonis
Workflow Foundation (WF) izpilda darbplūsmas tikai tad, ja visi apgādājamie tipi un montāžas ir autorizēti .NET config failā (vai skaidri ir pievienoti ar kodu) tālāk redzamajā kokā.
<configuration>
<System.Workflow.ComponentModel.WorkflowCompiler>
<authorizedTypes>
<targetFx>
Tomēr pēc atjaunināšanas ir nepieciešami daži tipi, ko izmanto SharePoint ārpus biroja, kas iepriekš nebija nepieciešami.
Risinājums
Lai atrisinātu šo problēmu, lietojiet atbilstošus drošības un nedrošības atjauninājumus no šādiem zināšanu bāzes rakstiem:
4461501 SharePoint Enterprise Server 2016 drošības atjauninājuma apraksts: 2018. gada 13. novembris 4461508 November 13, 2018, kumulatīvais atjauninājums programmai SharePoint Foundation 2013 (KB4461508) 4461510 November 13, 2018, kumulatīvais atjauninājums SharePoint Enterprise Server 2013 (KB4461510) 4011713 November 13, 2018, SharePoint Foundation 2010 atjauninājums (KB4011713) 4461528 November 13, 2018, kumulatīvais atjauninājums programmai SharePoint Server 2010 (KB4461528)
Piezīmes.
-
Pēc atjauninājuma instalēšanas SharePoint produktu konfigurācijas vednis ir jāpalaiž, lai labojums tiktu pilnībā lietots.
-
Dažām trešo pušu vai pielāgotu darbplūsmu darbībām var būt papildu atkarības. Ja rodas tāda darbība, kas ir līdzīga šai problēmai, bet nav aprakstīta šajā rakstā, lūdzu, iepazīstieties ar darbplūsmas darbību izstrādātājiem, lai saņemtu palīdzību.
Risinājums
Lai novērstu šo problēmu, skaidri pievienojiet nepieciešamos tipus visu lietojumprogrammu tīmekļa. config failam. Lai gan ir nodrošinātas manuālās darbības, iesakām izmantot skripta metodi.
Lai atrisinātu šo problēmu, skaidri pievienojiet nepieciešamos tipus visu lietojumprogrammu tīmekļa. config failiem.
SharePoint 2013 un jaunākās versijās
SharePoint 2013 un jaunākām versijām pievienojiet šādas rindiņas:
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
SharePoint versijās, kas vecākas par SharePoint 2013
SharePoint versijās, kas vecākas par 2013, jāpievieno šādas rindiņas:
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
Ieteicams palaist tālāk norādīto skriptu, nevis tieši modificēt esošos failus.
Piezīme.Dažiem trešo pušu darbplūsmas dzinējiem var būt nepieciešams pievienot papildu tipus. Šādā gadījumā sazinieties ar piegādātāju, lai iegūtu informāciju par nepieciešamajiem tipiem, un pēc tam atbilstoši pielāgojiet skriptu.
Tālāk norādītās skripta izmaiņas tīmekļa. config visām tīmekļa lietojumprogrammām, lai pievienotu nepieciešamos ierakstus. Šis skripts pievieno šos tipus esošajām tīmekļa lietojumprogrammām un lietojumprogrammām, kas tiek izveidotas pēc skripta izpildes. Skripts ir jāpalaiž tikai vienu reizi jebkurā Web front-end Server fermā (tiks atjaunināti visi serveri).
<#
This script adds the entries to all web.config files for all web applications in the farm.
Run this script as Farm Administrator in one of the WFEs.
This script has to run only one time.
SUMMARY:
This script uses the native SharePoint SPWebConfigModification API to deploy new updates to the web.config file for each web application on each server in the farm. Servers that are added at a later date will also get the updates applied because the API configuration is persisted in the config database. This API does not update the web.config for the central administration web application.
If you are running workflows on the central admin web application, you will have to manually update the web.config by using the steps in the referenced blog.
==============================================================
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null
function Add-CodeDomAuthorizedType
{
<#
.Synopsis
Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
.DESCRIPTION
Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
.EXAMPLE
Add-CodeDomAuthorizedType
#>
[CmdletBinding()]
param
(
)
begin
{
$farmMajorVersion = (Get-SPFarm -Verbose:$false ).BuildVersion.Major
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$typeNames = @( "CodeBinaryOperatorExpression", "CodePrimitiveExpression", "CodeMethodInvokeExpression", "CodeMethodReferenceExpression", "CodeFieldReferenceExpression","CodeThisReferenceExpression", "CodePropertyReferenceExpression")
}
process
{
if( @($contentService.WebConfigModifications | ? { $_.Name -eq "NetFrameworkAuthorizedTypeUpdate" }).Count -gt 0 )
{
Write-Warning "Existing NetFrameworkAuthorizedTypeUpdate entries found, this script has to be run only one time per farm."
return
}
if( $farmMajorVersion -le 14 ) # 2010, 2007
{
foreach( $typeName in $typeNames )
{
# System, Version=2.0.0.0
$netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$netFrameworkConfig.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes"
$netFrameworkConfig.Name = "authorizedType[@Assembly='System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName
$netFrameworkConfig.Owner = "NetFrameworkAuthorizedTypeUpdate"
$netFrameworkConfig.Sequence = 0
$netFrameworkConfig.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
$netFrameworkConfig.Value = '<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName
$contentService.WebConfigModifications.Add($netFrameworkConfig);
}
}
else # 2013+
{
foreach( $typeName in $typeNames )
{
# System, Version=4.0.0.0
$netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$netFrameworkConfig.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx"
$netFrameworkConfig.Name = "authorizedType[@Assembly='System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName
$netFrameworkConfig.Owner = "NetFrameworkAuthorizedTypeUpdate"
$netFrameworkConfig.Sequence = 0
$netFrameworkConfig.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
$netFrameworkConfig.Value = '<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName
$contentService.WebConfigModifications.Add($netFrameworkConfig);
}
}
Write-Verbose "Updating web.configs"
$contentService.Update()
$contentService.ApplyWebConfigModifications();
}
end
{
}
}
function Remove-CodeDomAuthorizedType
{
<#
.Synopsis
Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"
.DESCRIPTION
Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"
.EXAMPLE
Remove-CodeDomAuthorizedType
#>
[CmdletBinding()]
param()
begin
{
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
}
process
{
$webConfigModifications = @($contentService.WebConfigModifications | ? { $_.Owner -eq "NetFrameworkAuthorizedTypeUpdate" })
foreach ( $webConfigModification in $webConfigModifications )
{
Write-Verbose "Found instance owned by NetFrameworkAuthorizedTypeUpdate"
$contentService.WebConfigModifications.Remove( $webConfigModification ) | Out-Null
}
if( $webConfigModifications.Count -gt 0 )
{
$contentService.Update()
$contentService.ApplyWebConfigModifications()
}
}
end
{
}
}
# The following command will get the timerjob responsible for the web.config change deployment
# Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification" }
# The following command will make the appropriate changes
Add-CodeDomAuthorizedType
# Remove the following command if you have to remove the web.config updates, you can use this function to retract the changes
# Remove-CodeDomAuthorizedType