-
-
Save nul800sebastiaan/927dcf155439fcc867e97a4d8dda6e16 to your computer and use it in GitHub Desktop.
| using System.Web.Routing; | |
| using Umbraco.Core; | |
| namespace RemoveRoutes | |
| { | |
| public class RemoveRoutesStartupHandler : ApplicationEventHandler | |
| { | |
| protected override void ApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext) | |
| { | |
| // Reference: https://github.com/umbraco/Umbraco-CMS/issues/5206 | |
| // Reference: https://shazwazza.com/post/need-to-remove-an-auto-routed-controller-in-umbraco/ | |
| // Note: RouteTable needs System.Web.dll | |
| RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbRegister"]); | |
| RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbProfile"]); | |
| RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbLogin"]); | |
| RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbLoginStatus"]); | |
| RouteTable.Routes.Remove(RouteTable.Routes["umbraco-api-Tags"]); | |
| } | |
| } | |
| } |
@nul800sebastiaan - Since we are having the same issue, Does your last comment means we are fine to keep UmbLogin and UmbLoginStatus enabled?
@nul800sebastiaan - Since we are having the same issue, Does your last comment means we are fine to keep UmbLogin and UmbLoginStatus enabled?
@nul800sebastiaan - Could you please advise on the question above, please?
@SarikaRansubhe - the UmbLogin and UmbLoginStatus actions to the best of our knowledge can not cause harm. However, we added them here since they could be used in a DOS attack, expecially UmbLogin.
We recommend you remove those routes and implement your own logic for handling a login and showing the login status. If you're not worried about DOS attacks then you could leave these two action a is.
Hi, do we delete the .cs file from App_Data once we run the website on the public server, or does it stay in there?
@bobi33 It has to stay in place.. it's the only thing protecting you if you do not upgrade to the latest version of Umbraco,
@mkyukov - Indeed, it would break that. There's nothing all that harmful in the UmbLogin and UmbLoginStatus controllers, except if an attacker knows they exist then they could more easily try to perform a denial of service attack, especially for UmbLogin since each attempt will require some additional compute power. We added them to the list to be extra cautious mostly.