Who is impacted
The following versions of Umbraco Forms are affected:
- 8.0.0
- 8.1.0-8.1.3
- 8.2.0
- 8.3.0-8.3.1
In the latest versions of Forms, this problem has been fixed.
Details about the problem
The discovered data leak appears when using the email workflows built into Umbraco Forms. When those workflows are set up to send a confirmation email to the person filling out a form, it is possible, under special circumstances, that they get an email with the form data that someone else has entered.
Circumstances
Specifically, this can happen when two people submit a Form simultaneously.
Here is what we know from the reported issue:
- There has been a single report of this problem occurring for a customer and to the best of our knowledge this is not a wide-spread problem
- It happened for email workflows that are configured to send a confirmation message to the form submitter
- It happened on a server with high CPU usage / a lot of traffic
- This issue can only be reproduced locally by artificially throttling a test website, not from normal usage
- If you are not using workflows that send data back to the original person who is submitting a form then this doesn’t apply to you
- If you are using workflows that send data somewhere that is out of your control and can be read by third parties, you should update to the latest Forms release
However, even though this is not a wide-spread issue, we still recommend you set aside resources to upgrade your site as soon as possible, as it could potentially lead to data leak.
Technical resolution
The bug has been identified to relate to the usage of singletons for workflows. The usages have been updated to use unique instantiation of workflows.
Additionally, we reviewed the code that runs for any workflow in Forms and made sure that the problem couldn’t be triggered any more. The customer who originally reported the bug also could no longer reproduce the problem after receiving that update from us.
Automatic fix on Umbraco Cloud
All projects on Umbraco Cloud running Umbraco Form version 8 will be automatically patched today (March 23rd, 2020 between 7 AM - 9 PM UTC).
The patch release for Cloud site only includes the fix for this specific issue and no other fixes or features.
Updating manually outside of Umbraco Cloud
There are several ways to update your sites outside of Cloud depending on what is appropriate for your setup. You can update manually, through NuGet or by updating to the latest minor version of Umbraco Forms.
This means:
- If you’re using Umbraco Forms 8.0.0, upgrade to Forms version 8.0.1
- If you’re using Umbraco Forms 8.1.0-8.1.3, upgrade to Forms version 8.1.4
- If you’re using Umbraco Forms 8.2.0, upgrade to Forms version 8.2.1
- If you’re using Umbraco Forms 8.3.0-8.3.1, upgrade to Forms version 8.3.2
These new Umbraco Forms versions can be downloaded from the Forms package page on Our Umbraco.
Manual update
The Forms page on Our Umbraco lists the available patch releases. You can use the UmbracoForms.Files.x.y.z.zip files to get all the files that need updating and copy them into your site.
Update with NuGet
For NuGet installs, you can run the same upgrades as mentioned above:
- If you’re using Umbraco Forms 8.0.0, upgrade to Forms version 8.0.1
- If you’re using Umbraco Forms 8.1.0-8.1.3, upgrade to Forms version 8.1.4
- If you’re using Umbraco Forms 8.2.0, upgrade to Forms version 8.2.1
- If you’re using Umbraco Forms 8.3.0-8.3.1, upgrade to Forms version 8.3.2
These new Umbraco Forms versions can be downloaded from the Forms package page on Our Umbraco.
Questions?
If you have any question regarding this patch, please feel free to contact us at contact@umbraco.com
Credit
Thanks to Frans de Jong for investigating and reporting this issue to us.