Hangfire 1.7.3 & 1.6.26 released with security fixes

security
Tags: #<Tag:0x00007f4998619340>

#1

This version contains security fixes to prevent possible XSS attacks as described in #1441. They don’t relate to user data submitted to Hangfire directly via method arguments, but it’s recommended to upgrade anyway. If you are using Hangfire 1.6, please upgrade to version 1.6.26 instead.

Affected Packages
Hangfire.Core ≤ 1.6.25, 1.7.0, 1.7.1, 1.7.2
Affected Platforms
All, including .NET Core, .NET Framework, Mono of any version

Steps to reproduce

public static void Xss()
{
    BackgroundJob.Enqueue(() => Xss2());
}

public static void Xss2()
{
    throw new Exception("<script>alert(1);</script>");
}

Release notes

Hangfire.Core

  • SECURITY – Use HtmlEncode in all remaining places in Dashboard UI to prevent XSS attacks.
  • Added – Added Dutch language, and updated missing translation on “Servers” page (by @r-win).
  • AddedCron.Never method for adding manual recurring jobs that never fire (by @michaltalaga).
  • Fixed – Add missing AddOrUpdate extension methods for the IRecurringJobManager interface.
  • Deprecated – Unused HtmlHelper.FormatProperties method is now obsolete.

Hangfire.SqlServer

  • Fixed – Wrong error message in migration script, when @CurrentSchemaVersion has a NULL value (by @penenkel).