 |
|
 |
 |
Friday, February 08, 2008 |
Yesterday, we found ourselves at the receiving end of an attack against one of our German Wikis that are running the ScrewTurn Wiki software. Turns out that it was a security issue even with the then latest version 2.0.23. Dario Solera - the maintainer of ScrewTurn - acted real fast when I informed him about the root cause of the attack and released v2.0.24 yesterday night.
Please download and upgrade immediately! The issue is being actively exploited (zero day if you so will).
|
Thursday, December 13, 2007 |
|
Friday, November 30, 2007 |
I have posted an updated version
Given my plans to rather sooner than later upgrade my server to IIS7, I am currently switching all applications to ASP.NET 2.0 in preparation of this move. But there was nGallery, which I used all over the place when I needed a photo gallery...
Today I decided it was about time to do something about it, and gave converting nGallery to .NET 2.0 a try (actually all the projects target .NET Framework 3.5). Turns out it took me roundabout two hours for this whole endeavour. To save everybody else time, here is my VS2008 solution tree:
nGalleryTNG.zip (2.92 MB)
What is changed compared to the original nGallery 1.6.1 for ASP.NET 1.1? Here is a somewhat complete laundry list:
- Converted it to a Web Application project
- Placed all third party source code in the ThirdParty folder. That way I can always change and recompile if necessary.
- Took all static images from the \photos directories and put them into \images. No more mixing the photo handler & photo cache with the Web site's images.
- The album handler is now being abused in Application_BeginRequest, plus it now uses RewritePath. Fixes the darn Server.Transfer errors.
- Moved the configuration of nGallery from the data folder to App_Data. Other than that: no configuration changes.
I did not switch to ASP.NET 2.0 master pages, it still uses the old user control approach. But after all, I only needed it in a working fashion for 2.0+.
Note: I only tested the XML-based storage because that's how I use nGallery. The SQL-storage has received no testing whatsoever!
Download Web site files only: nGalleryTNG_WebSite.zip (924.39 KB)
I posted a version of the Really Simple Guestbook - With XLinq for Orcas Beta 2 earlier on this blog. Today, I updated this small application for VS2008 RTM. The following changes are incorporated:
- It is now a Web project, no longer file system based
- It includes AIP for form spam protection (aka captcha)
I decided to not include the Microsoft Anti-Cross Site Scripting Library V1.5, that is up to the reader if additional security is required (note: you'd have to add this to AddEntry.aspx's logic of inserting new guestbook entries).
Download: XlinqGuestbook.zip (165.53 KB), License: BSD
|
Friday, November 02, 2007 |
XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths. Download
|
Tuesday, October 30, 2007 |
|
Monday, October 15, 2007 |
Been on holidays, at conferences (eg last week Ask The Experts @ XTOPIA in Berlin), and worked on various projects - a couple of reasons it was rather quiet lately in this blog.
Yesterday I decided I needed a simple guestbook application for a to-be-developed private Web site, and because I didn't find anything that fit my needs I decided to write one myself with the goal of (ab)using XLinq in the course of this endeavour:
Guestbook_XLINQ.zip (7.09 KB)
Caveat emptor: I am no designer (surprise!). But thanks to no design it should be easy for you to add your own design. However, as this month's MSDN magazine is all about security, I decided to make the application production-ready security-wise. You'll find a lot of parsing plus XSRF protection (note: this version does not check for integer overflow in calculating the start row).
Missing features: this guestbook is not prepared for localization, nor does it use a control-based approach (where you drop those in your pages and get an in-place guestbook).
Update a version of this application for VS2008 RTM is available here.
|
Thursday, May 24, 2007 |
I have been doing some sprucing up of SharpDevelop's Web offerings today - namely the code converter. Up until today, you only could convert syntactically valid classes. Recently, Daniel implemented the SnippetParser class, which is now in use for the snippet converter (C# to VB.NET, VB.NET to C#). Note: the Web service for code conversion does support both class and snippet conversion, a Windows client sample is available for the former.
Also new (just completed a few minutes ago) is the code formatter: it uses the highlighting engine from SharpDevelop's text editor to HTML-ize a bunch of formats: ASP/XHTML, BAT, Boo, Coco, C++.NET, C#, HTML, Java, JavaScript, Patch, PHP, TeX, VBNET, XML. Again, there is a Web service available, as well as a sample using the service. This offering is built upon the HtmlSyntaxColorizer sample that can be found in SharpDevelop revisions > 2522 (currently only on the build server)
I am sure that both the snippet converter as well as the code formatter are welcome additions. Spread the word! After all, it's free.
|
Thursday, April 26, 2007 |
Bill Staples put together a post on what's new in IIS7 Beta 3. He also talks about the all-new IIS7 FTP server (which I knew about for a long time - I had hoped Beta 3 would be available for my MSDN Briefing in Vienna last month, but no such luck). Also, he mentions the GoLive! license for IIS7.
|
Tuesday, February 06, 2007 |
Nikhil has updated his controls for ASP.NET AJAX 1.0. Download here
Quote from his blog (so you know why you should go and download them):
- UpdateHistoryThis is a non-visual control that allows you to add history entries to the browser's navigation stack selectively for some post-backs, and not for some others. This helps fix the back button to make it work, and allows you to implement Ajax patterns such as "logical navigation" and unique URLs.
- StyledUpdatePanel A simple derived UpdatePanel that adds CSS class semantics. A simple addition, but a useful feature, nevertheless, that didn't make the feature cut.
- AnimatedUpdatePanel Another derived UpdatePanel that displays new content using a variety of animations or effects: slides, wipes, cross-fades as well as a visual highlight. This allows you to implement the "visual notification" Ajax patterns such as the one second spotlight and one second mutation.
|
Wednesday, January 03, 2007 |
I have been re-awarded MVP for Visual Developer ASP/ASP.NET.
|
Wednesday, November 22, 2006 |
I admit it: I am a regular reader of the event log. In doing so, I came across an error message last week that I rarely get to see - invalid Viewstate:
Now, that wouldn't be a problem, usually at least. However, in this special case I went WTF? when I looked at the description more closely, especially at the PersistedState information: PersistedState: a
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Mailer: EMUmail 4.5
Subject: jam n
bcc: <list of addresse removed by me /> comes from the loin in the middle of the back of the pig. t is a lean meaty
cut of bacon, with relatively less fat compared to other cuts. iddle bacon
is much like back bacon daa6c5071189f202ceb370d0e9d38c33
.
Come again - spam in Viewstate? What would be the point of this? After some research together with Alex I came across this article: Interesting Crack Attempt to Relay Spam (a more detailed article is available too: Form Post Hijacking). How did I manage to not take notice of this attack vector any earlier I don't know, but I have to admit that the idea is pretty clever.
Counter-measures in general? Well, either don't allow users input in the headers at all, or vet the form fields for carriage return / line feeds. Note that I did not verify if any of the available mail components for .NET would be actually susceptible to this kind of attack.
|
Wednesday, November 08, 2006 |
From the nuggets page: Don't have the time to read a 10-page how-to article or watch a full length webcast? Try an MSDN Nugget, a webcast that takes you step-by-step to discovering new functionality or exploring a hot developer topic, all in 10-15 minutes. If you haven't seen this yet, check it out!
|
Wednesday, June 21, 2006 |
Today, Daniel held a talk comparing AJAX frameworks for ASP.NET. He limited the scope to indirect frameworks, which means: those AJAX frameworks extend ASP.NET, and you don't necessarily need to know much about AJAX. On his Web site, you will find a comparison of AJAX frameworks for ASP.NET (direct as well as indirect).
|
Tuesday, June 20, 2006 |
As promised, here is the list of links / articles / samples that I used for preparing my talk "Build Provider in ASP.NET 2.0":
Hope you will find those useful.
|
Monday, June 19, 2006 |
Half an hour ago, I completed my talk "Windows Workflow Foundation & ASP.NET 2.0". As promised, here is the list of links to sites / documents that I used to prepare this talk & accompanying samples.
Also, see my last post on ASP.NET PageFlow CTP. This was the last part on "future technologies".
Update A foto from my talk on Monday (debugging a workflow in ASP.NET):
|
Tuesday, June 13, 2006 |
Yesterday night, I watched a WebCast from TechEd Boston - "An Overview of ASP.NET and Windows Workflow Foundation". What this innocuous title hid was the fact that Kashif Alam (PM in the Developer Division) was presenting vNext features for ASP.NET workflow integration: Page flow (PageFlow) as well as UI flow (UIFlow), plus the accompanying extensibility model.
What do those two separate approaches provide? Well, you get MVC (model-view-controller) support for same-page (UIFlow) as well as cross-page (PageFlow) scenarios. Pretty neat was the included "Choosing the right solution" slide to get an idea what's in store:
| Task |
<asp:wizard...> |
PageFlow |
UIFlow |
| Single page |
x |
|
x |
| Multiple pages |
|
x |
|
| State when close browser |
|
x |
x |
| Integrate with Enterprise WF |
|
x |
x |
| Client support |
|
x |
x |
| Built-in navigation UI |
x |
|
|
| Extensibility to other controllers |
|
x |
x |
As developers, we will get our hands on this later this year in the form of the "ASP.NET PageFlow CTP" (at least that's the current name), and it will be deployed with Orcas.
|
Monday, March 20, 2006 |
|
Sunday, February 19, 2006 |
On my flight to Seattle today (or yesterday, depending on the time zone) I started to read Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow. The book definitely is a must-have for every ASP.NET developer, even if you decide to read one chapter only: A Matter of Trust (#3). This one will save you loads of time when you have to deploy an application into non-full trust environments. However, the other chapters are worthwhile too, like #2 which details exactly which identity is used when by what part of the engine. Bottomline: highly recommended reading.
|
Wednesday, January 18, 2006 |
Yesterday, I picked up on an old code piece of mine - sending images to the client via an HttpHandler. Why in the world would you implement that with a handler when there is http.sys kernel mode caching? Well, I had a few unique constraints:
- the images had to live outside the Web root and any of its vroots
- the image names had to be concealed because the naming would give away information, and renaming the images prior to publishing on the Web was out of the question
Now, a common approach to sending images from a certain directory (leaving requirement #2 by the wayside for the moment) would be this: image.aspx?image=iamthebest.jpg
So what is wrong with this approach? First and foremost using an ASP.NET page. The page lifecycle is a drain on performance and throughput, because you simply don't need it. That sorts out why I chose to go with an HTTP handler.
Secondly, somebody could DOS your server. You heard me right. For the background, check the article Trap Alert: Files that aren't. A .NET version (managed C++) of this checker can be found in this download (the article Dateityp-Ermittlung in Managed C++ is only available in German).
How do you get around this issue? Well, how about reading the directory up front, and instead of having the filename in the URL, send the hash! When the image is requested, take the hash and look up the corresponding file, presto. In addition you get one security feature for free: no directory traversals can be hidden in your code.
When I uncovered the code yesterday, I decided to rewrite it for more general use. So what do you get?
- The ImageCacheControls project: it contains the ImageCache class, which does most of the heavy lifting. In addition, you get an ImageCacheControl server control, as well as the implementation of the HTTP handler. (Don't forget to check out the Readme.txt for the latest on feature set and known issues)
- The Web project: a rather simple Web site with demo files in it. The file I want to direct your attention to is Image.ashx. This is the one file - aside from the control project binaries - that needs to be copied to your projects to get started with ImageCache. Note that I made it easy to work with C# (default) or VB.NET.
Usage of ImageCache is demonstrated in default.aspx.cs plus the source code of default.aspx (design time of the control does not work, known issue).
The code behind looks like this (CreateMapping loads the directory contents, initializes the hash to file name map, stores it into the cache):
using ChrisOnNET.ImageCache;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
// normally, this would be done in global.asax
ImageCache.CreateMapping("demo", Server.MapPath("~/TestImages/"));
// the DIY approach to rendering the image tag
string testHash = ImageCache.GetHashForFile("026.jpg", "demo");
Response.Write("<image src=\"Image.ashx?bucket=" +
"demo" +
"&image=" +
Server.UrlEncode(testHash) +</ |