|| Thursday, November 10, 2005
I just finished a Web-based C# to VB.NET converter for .NET 2.0. It took me about half an hour and 20 lines of code. How come? Well, Daniel (#develop 2.0 PM) did a video on NRefactory, which is at the heart of #develop's parsing infrastructure. I took some of his demo code plus some of #develop's internal code converter, and put it into a ASP.NET 2.0 page. Presto, that easy if you can stand on the shoulders of giants.
Oh, and I actually put it online, here is the link: C# to VB.NET converter (you can find the source code for a simpler VB.NET implementation of the converter here).
|| Tuesday, November 8, 2005
Now, I did not set out to crash it intentionally, but at least it is fully reproducible. What did I do? Well, I wanted to build a site based on the code I wrote in the blog entry Writing a Subversion-backed VirtualPathProvider for ASP.NET 2.0. So I created a new directory for the site, and simply put the code from the download into a subdirectory (which already exists in the zip file):
Of course I went ahead and opened MyNewWebSite in Visual Studio 2005:
Nothing unexpected so far, I can expand all directories just fine in Solution Explorer:
However, as soon as I hover over SubversionVirtualPathProvider.cs, Solution Explorer goes grey. Totally grey. As in no icons, no tree, no nothing. So I File / Exit Visual Studio 2005 (saying No to saving the solution), and kabooom, here is my friend the error reporting tool:
Oh, and btw, an empty App_Code directory won't do the trick.
|| Thursday, October 20, 2005
To put this into the right perspective - I am a very peculiar user of word processing applications. I spend most of my time with writing or reviewing documents. That is, the feature areas I care about most are revision tracking and commenting.
To illustrate my point, I took the following screenshot of Word:
This is a rather orderly document, with one comment tacked to a section of a sentence, plus I added "stuff" (a pointless edit). During the lifetime of this document, more comments will be added, as well as edits by multiple people.
So what do I do once all comments are in? Yep, accept or reject the changes. If I am fine with the changes, I mark that block containing all the changes, and go to the toolbar to accept the changes:
That's how it works in Microsoft Word. Now let's take a look at OpenOffice.org Writer:
I couldn't care less about the missing toolbar to access the reviewing functionality directly, however, I do care deeply about the internal workings:
- Comments Added via Insert / Note. But don't make the mistake to expect to be able to select a portion of your text to associate it with - once the note is inserted, the marked text is deleted!
- Changes Making changes to the document works as expected. But look at the above screenshot again: yes, accepting and rejecting changes is done in a separate dialog box! See for yourself:
That might be practical for a small document, but definitely not for one that was reviewed by 5+ people and contains 100+ changes (which, funny enough, does happen a lot for specification documents or book chapters...).
Without a proper editing workflow, OOo is not going to play a major part in my everyday work process any time soon.
|| Sunday, October 16, 2005
The ASP.NET 2.0 Deployment Guide is a reference for web hosters who are interested in adding ASP.NET 2.0 to their existing Windows hosting service. Besides improving developer productivity, ASP.NET 2.0 also provides benefits for hosted environments, including support for shutting down inactive applications and locking down rogue applications. Enhanced health monitoring configuration can be used to set thresholds and severity levels for monitoring the health of ASP.NET.
|| Saturday, October 15, 2005
|| Friday, October 14, 2005
Remember my call to action in Web applications and SMTP proxies don't mix well (it seems)? I mentioned that I am guilty as well - not only for Web applications as it turned out, but also for other server-based software, such as the Subversion post-commit hook I wrote.
You can already guess the contents of the change log (the last public version was 1.7):
- SMTP authentication & SMTP server port options added
If you are running the hook today, all you need to do is copy the new post-commit.exe over your existing one (assuming you use 1.7), and add the following four lines to your post-commit.exe.config's <appSettings> section:
<add key="SMTPAuthentication" value="" />
<add key="SMTPServerPort" value="25" />
<add key="SMTPUsername" value="username" />
<add key="SMTPPassword" value="password" />
Those values default post-commit.exe to the 1.7 behavior. To use authentication, set SMTPAuthentication to BASIC, and provide username and password. Most of the time, you will not need to play with the server port.
Finally, here is the usual binary & source code archive:
SvnPostCommitHook220.127.116.11014.zip (424.24 KB)
My dedicated server box not only serves Web applications (such as this blog), it also handles mail for the respective domains. This means I have to deal with spam. Which on one hand is nice because I can do whatever I please: drop mail based on whatever criteria I set up, and use whatever filtering software I need.
This is how the NoSpamToday! SMTP Proxy found its way on my box. I simply got tired of maintaining my (rather old) standalone SpamAssassin installation, and dealing with MailEnable's integrated but not chained RBL / SPF / virus scanning (by not chained I mean that those filters are evaluated separately, not like SA, where all filters[rules] are weighted and evaluated as a whole).
Because I only have one box, I had to resort to relocate MailEnable to port 45, so that NoSpamToday! could listen on 25 and forward to MailEnable if appropriate (*). I did configure SMTPS previously (port 465 redirected to localhost:45 via stunnel), so standard users could deliver their mail directly to MailEnable instead of having their outgoing mail scanned by the proxy.
But what about my Web applications? Initially, those were sending to localhost directly, and as such I had a relaying exception set up in MailEnable. This one had to go, obviously. So how can applications deliver mail to the mail server via the proxy? SMTP authentication is necessary for this to happen.
But this doesn't solve the whole issue, it opens a can of worms, performance-wise. The problem is, every single application (Community Server, dasBlog, Gemini, ...) assumes that your SMTP server listens on port 25. Wrong. That's the proxy. And that's a problem: all local outgoing email from those applications is scanned by antivirus and antispam filters. And that's completely wasting CPU resources. As well as adding to # of addresses accepted by the backend mailserver, driving up the licenses that would be needed for NoSpamToday! (**).
Call to action: Implement not only SMTP authentication in your applications, but also make the SMTP server port configurable. I'm guilty as well.
This whitepaper introduces the guiding principles and thoughts behind the .NET Framework, the core features of the Common Language Runtime and its supporting Framework Base Class Libraries and how it is evolving in the next major version.
|| Wednesday, October 5, 2005
David Litchfield published the paper Data-mining with SQL Injection and Inference (more NISR papers). From the abstract: When drilling for data via SQL injection there are three classes of attack – inband, out-of-band and the relatively unknown inference attack. Inband attacks extract data over the same channel between the client and the web server, for example, results are embedded in a web page via a union select. Out-of-band attacks employ a different communications channel to drill for data by using database mail or HTTP functions for example. Inference attacks stand alone in the fact that no actual data is transferred – rather, a difference in the way an application behaves can allow an attacker to infer the value of the data.
You only have to wait till the others do all the typing: Paul and Plip are writing about the Web Deployment Projects feature that we were shown today at the AspInsiders summit. Cool stuff that should be in the hands of everybody by the time VS05 launches.
© Copyright 2020 Christoph Wille
newtelligence dasBlog 2.3.9074.18820