SharePoint 2010, 2013, 2016 and 2019 September 2020 CU

Hopefully you are not in the same boat as some organizations, who have applied the SharePoint 2010, 2013, 2016 or 2019 September 2020 Cumulative Update. As has happened in the past (just a few times), we are seeing multiple issues with this update. That is not really a fair statement, as the changes are actually what was intended to be added.

The main problem is found with any SharePoint environments that are integrated with first and third party solutions. Some of these security fixes have tightened the security requirements for this. An example of first party applications are: Microsoft Identity Manager (MIM) portal pages and Dynamics AX, along with other components.

The changes being applied are to do with items such as Safe Control entries, Custom User Controls, Page Parser Paths and any Declarative Statements in Master Pages and Pages (always advise against this anyway).

Stefan Goßner, from Microsoft outlined these changes:

  • Code Behind Classes and Web Parts need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • Custom User Controls (ascx) need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • Custom Server Controls need to be explicitly registered as safe in the web.config using <SafeControl…> entries
  • Inline Code Blocks in Pages are blocked. Pages which require that have to be whitelisted explicitly using <PageParserPath…> entries in the web.config
  • Declarative Statements in Pages and Master Pages which invoke server side code (e.g. autoeventwireup, enablesessionstate, serverside event receivers for page actiona) are blocked. Pages are now required to be whitelisted using <PageParserPath…> entries in the web.config

He also outlined some of the side-effects of these updates:

  • The attribute ‘autoeventwireup‘ is not allowed in pages
  • The attribute ‘enablesessionstate‘ is not allowed in pages
  • Code blocks are not allowed in files
  • The event handler are not allowed in pages
  • Errors such as:
    • UnsafeControlException: A Web Part or Web Form Control on this Page cannot be displayed or imported. The type could not be found or it is not registered as safe.
    • The referenced file ‘/_layouts/directory/usercontrol.ascx‘ is not allowed on this page.

To read more about this, check out Stefan’s post here:

As always, be careful about what updates you apply to your On-premises SharePoint environment. It can have major adverse affects, and requires countless hours of time to fix and get back to working.

Liam Cleary

Liam began his career as a Trainer of all things computer-related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. He is also a Microsoft MVP focusing on Architecture but also crosses the boundary into Development. He is also a Microsoft Certified Trainer (MCT). His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...