Príznaky
Po inštalácii niektorého z aktualizácií zabezpečenia zo septembra 2018 .net Framework na vyriešenie CVE-2018-8421 (chyba .NET Framework vzdialeného spustenia kódu), pracovné postupy SharePointu mimo pracoviska prestane fungovať. Pri výskyte tohto problému sa zaznamená chybová položka, ktorá sa podobá nasledujúcemu hláseniu:
<Date> <Time> w3wp.exe (0x1868) 0x22FC SharePoint Foundation Workflow Infrastructure 72fs Unexpected RunWorkflow: Microsoft.SharePoint.SPException: <Error><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1" Text="Type System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file." /><CompilerError Line="-1" Column="-1"…
V položke chyby sa navrhuje, aby System. CodeDom. CodeBinaryOperatorExpression nie je zahrnutý v autorizovaných typoch.
Ďalšie informácie o aktualizáciách zabezpečenia zo septembra .NET nájdete na tejto stránke Microsoft .net blog.
Príčina
Doplnok Workflow Foundation (WF) spustí pracovné postupy iba vtedy, keď sú všetky závislé typy a zostavy povolené v konfiguračnom súbore .NET (alebo sa explicitne pridá prostredníctvom kódu) v nasledujúcom strome:
<configuration>
<System.Workflow.ComponentModel.WorkflowCompiler>
<authorizedTypes>
<targetFx>
Po aktualizácii sa však v súčasnosti vyžadujú niektoré typy, ktoré používajú pracovné postupy SharePointu mimo pracoviska, ktoré sa predtým nevyžadovali.
Riešenie
Ak chcete tento problém vyriešiť, použite príslušné aktualizácie zabezpečenia a nezabezpečenia z nasledujúcich článkov databázy Knowledge Base:
4461501 Popis aktualizácie zabezpečenia pre SharePoint Enterprise Server 2016:13. listopadu 2018 4461508 November 13, 2018, Kumulatívna aktualizácia pre SharePoint Foundation 2013 (KB4461508) 4461510 November 13, 2018, Kumulatívna aktualizácia pre SharePoint Enterprise Server 2013 (KB4461510) 4011713 November 13, 2018, aktualizácia pre SharePoint Foundation 2010 (KB4011713) 4461528 November 13, 2018, Kumulatívna aktualizácia pre SharePoint Server 2010 (KB4461528)
Poznámky:
-
Po nainštalovaní aktualizácie sa musí spustiť Sprievodca konfiguráciou služby SharePoint Products, aby sa oprava plne použila.
-
Niektoré akcie tretích strán alebo vlastné pracovné postupy môžu mať ďalšie závislosti. Ak sa vyskytnú problémy, ktoré sú podobné tomuto problému, ale nie sú uvedené v tomto článku, prečítajte si pomoc na vývojárov akcií pracovného postupu.
Alternatívne riešenie
Ak chcete obísť tento problém, explicitne pridajte potrebné typy do súboru Web. config všetkých aplikácií. Napriek tomu, že sú uvedené manuálne kroky, odporúčame použiť metódu skriptu.
Ak chcete alternatívne riešenie tohto problému, explicitne pridajte potrebné typy do súborov Web. config všetkých aplikácií.
Pre SharePoint 2013 a novšie verzie
V SharePointe 2013 a novších verziách pridajte nasledujúce riadky:
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
Pre verzie SharePointu staršie ako SharePoint 2013
Pre verzie SharePointu staršie ako 2013 pridajte namiesto toho nasledovné riadky:
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeBinaryOperatorExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePrimitiveExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodInvokeExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeMethodReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeFieldReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodeThisReferenceExpression" Authorized="True" />
<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" NameSpace="System.CodeDom" TypeName="CodePropertyReferenceExpression" Authorized="True" />
Odporúčame spustiť nasledujúci skript namiesto priamej úpravy existujúcich súborov.
Poznámka: Niektoré motory pracovných postupov tretích strán môžu vyžadovať Pridanie ďalších typov. Ak ide o tento prípad, kontaktujte svojho dodávateľa s informáciami o požadovaných typoch a potom podľa toho upravte skript.
Nasledujúci skript zmení web. config pre všetky webové aplikácie na pridanie potrebných položiek. Tento skript pridá tieto typy existujúcich webových aplikácií a aplikácií vytvorených po spustení skriptu. Skript by sa mal spustiť len raz na ľubovoľnom webovom klientskom serveri farmy (bude aktualizovať všetky servery).
<#
This script adds the entries to all web.config files for all web applications in the farm.
Run this script as Farm Administrator in one of the WFEs.
This script has to run only one time.
SUMMARY:
This script uses the native SharePoint SPWebConfigModification API to deploy new updates to the web.config file for each web application on each server in the farm. Servers that are added at a later date will also get the updates applied because the API configuration is persisted in the config database. This API does not update the web.config for the central administration web application.
If you are running workflows on the central admin web application, you will have to manually update the web.config by using the steps in the referenced blog.
==============================================================
#>
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null
function Add-CodeDomAuthorizedType
{
<#
.Synopsis
Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
.DESCRIPTION
Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
.EXAMPLE
Add-CodeDomAuthorizedType
#>
[CmdletBinding()]
param
(
)
begin
{
$farmMajorVersion = (Get-SPFarm -Verbose:$false ).BuildVersion.Major
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$typeNames = @( "CodeBinaryOperatorExpression", "CodePrimitiveExpression", "CodeMethodInvokeExpression", "CodeMethodReferenceExpression", "CodeFieldReferenceExpression","CodeThisReferenceExpression", "CodePropertyReferenceExpression")
}
process
{
if( @($contentService.WebConfigModifications | ? { $_.Name -eq "NetFrameworkAuthorizedTypeUpdate" }).Count -gt 0 )
{
Write-Warning "Existing NetFrameworkAuthorizedTypeUpdate entries found, this script has to be run only one time per farm."
return
}
if( $farmMajorVersion -le 14 ) # 2010, 2007
{
foreach( $typeName in $typeNames )
{
# System, Version=2.0.0.0
$netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$netFrameworkConfig.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes"
$netFrameworkConfig.Name = "authorizedType[@Assembly='System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName
$netFrameworkConfig.Owner = "NetFrameworkAuthorizedTypeUpdate"
$netFrameworkConfig.Sequence = 0
$netFrameworkConfig.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
$netFrameworkConfig.Value = '<authorizedType Assembly="System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName
$contentService.WebConfigModifications.Add($netFrameworkConfig);
}
}
else # 2013+
{
foreach( $typeName in $typeNames )
{
# System, Version=4.0.0.0
$netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$netFrameworkConfig.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx"
$netFrameworkConfig.Name = "authorizedType[@Assembly='System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'][@Namespace='System.CodeDom'][@TypeName='{0}'][@Authorized='True']" -f $typeName
$netFrameworkConfig.Owner = "NetFrameworkAuthorizedTypeUpdate"
$netFrameworkConfig.Sequence = 0
$netFrameworkConfig.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
$netFrameworkConfig.Value = '<authorizedType Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Namespace="System.CodeDom" TypeName="{0}" Authorized="True"/>' -f $typeName
$contentService.WebConfigModifications.Add($netFrameworkConfig);
}
}
Write-Verbose "Updating web.configs"
$contentService.Update()
$contentService.ApplyWebConfigModifications();
}
end
{
}
}
function Remove-CodeDomAuthorizedType
{
<#
.Synopsis
Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"
.DESCRIPTION
Removes any web configuration entries owned by "NetFrameworkAuthorizedTypeUpdate"
.EXAMPLE
Remove-CodeDomAuthorizedType
#>
[CmdletBinding()]
param()
begin
{
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
}
process
{
$webConfigModifications = @($contentService.WebConfigModifications | ? { $_.Owner -eq "NetFrameworkAuthorizedTypeUpdate" })
foreach ( $webConfigModification in $webConfigModifications )
{
Write-Verbose "Found instance owned by NetFrameworkAuthorizedTypeUpdate"
$contentService.WebConfigModifications.Remove( $webConfigModification ) | Out-Null
}
if( $webConfigModifications.Count -gt 0 )
{
$contentService.Update()
$contentService.ApplyWebConfigModifications()
}
}
end
{
}
}
# The following command will get the timerjob responsible for the web.config change deployment
# Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification" }
# The following command will make the appropriate changes
Add-CodeDomAuthorizedType
# Remove the following command if you have to remove the web.config updates, you can use this function to retract the changes
# Remove-CodeDomAuthorizedType
