Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Umbraco exposes all tags publicly by default

See original GitHub issue

Umbraco provides a TagsController (an UmbracoApiController) by default that allows to publicly query all tags within the site with a simple GET-request, e.g. https://umbraco.com/umbraco/api/tags/GetAllTags.

The controller is available in both Umbraco 7 & 8, although it is moved in V8:

The following remarks are added in the source, so I don’t think this is a BIG security issue (that’s why I’m creating this as an issue):

This controller does not contain methods to query for content, media or members based on tags, those methods would require authentication and should not be exposed publicly.

As tags could still expose information that shoudn’t be public (e.g. classifications on media or members) and I don’t see why Umbraco would include this controller by default, I would recommend removing this controller.

Issue Analytics

State:
Created 4 years ago
Comments:13 (12 by maintainers)

Top GitHub Comments

1reaction

Shazwazzacommented, Apr 11, 2019

Nice! I can update my blog at some stage with that too.

In v8 you can actually remove the TagsController, etc… by type from the composers and they won’t be auto routed at all but in v7 you can’t do that so thought I’d write a similar solution that works for both.

But yes having an extension method on routes would be nice too, happy to accept a PR if you have time too 😃

0reactions

nul800sebastiaancommented, Jul 3, 2019

Note: I’ve tested the workaround in both 7.14 and 8.0.2 by using RouteTable.Routes.Remove(RouteTable.Routes["umbraco-api-Tags"]); and that doesn’t break anything since we’re not actually removing the controller from being registered, just making sure it’s not routable.