04Jul, 2023
Broken PowerShell Methods After Sitecore Security Bulletin SC2023-003-587441 Due to Versioning Differences
The most recent security patch from Sitecore addressed some critical issues. There is an assumption in it, however, that you're using PowerShell 6, which will break some functionality if you have a lower version installed.
So What Changed?
Among many other changes, the security hotfix now blocks the execution of unknown methods through reflection. PowerShell is still ok though, because the new file, Sitecore.Reflection.Filtering.config has a list of allowed methods with 22 just for this module. Everything's great!
What's the Problem Then, and How Do I Fix It?
If you open the config file, you'll see entries like:
<descriptor type="Spe.Client.Applications.PowerShellRunner" methodName="OkClick" assemblyName="Spe" hint="OK"/>
The namespace above begins with Spe and the assembly's name is also Spe. To have this work with PowerShell 5, all entries need to be changed to start with Cognifide.PowerShell, and the same goes for the assembly:
<descriptor type="Cognifide.PowerShell.Client.Applications.PowerShellRunner" methodName="OkClick" assemblyName="Cognifide.PowerShell" hint="OK"/>
There's other ways to get this accomplished but this seems to be the most direct and prescriptive way.
Don't Forget to Manage Your Sitecore Instance Following Best Methods
I've applied this patch to several environments, and in the process of auditing the pending change I saw some things your Sitecore teams should avoid ensuring smooth operation. This follows best practices but is worth repeating.
- Never modify an out of the box configuration file. Use patch files instead, so changes like this one aren't reverting what you need for your custom implementation.
- Keep out of the box files out of your releases. All too often I see important files like sitecore.config in a solution's release, which would overwrite this important update after the next release.