<2006 February>
SunMonTueWedThuFriSat
2930311234
567891011
12131415161718
19202122232425
2627281234
567891011

On this page...

Search

Links

Member of...


ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories

Microsoft

Blogroll

Deutsche Resourcen

Management

Sign In
 

#  Sunday, 19 February 2006

On my flight to Seattle today (or yesterday, depending on the time zone) I started to read Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow. The book definitely is a must-have for every ASP.NET developer, even if you decide to read one chapter only: A Matter of Trust (#3). This one will save you loads of time when you have to deploy an application into non-full trust environments. However, the other chapters are worthwhile too, like #2 which details exactly which identity is used when by what part of the engine. Bottomline: highly recommended reading.

Categories: .NET | 2 Ohhhh | ASP.NET | Books | Security
Sunday, 19 February 2006 09:21:00 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Monday, 06 February 2006

Will be there Wednesday & Thursday as ATE (Ask the Experts), so drop by in the experts zone and say hello!

Monday, 06 February 2006 14:56:39 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Thursday, 02 February 2006

Because I wanted to create a DVD cover, I decided to install CorelDraw 10 (fine for what I need) onto my box. However, it very much refused to cooperate:

It told me that it expects NT4 through 2000 as an operating system, however, that it cannot detect my current OS (the blank third column). And that's the story. No CorelDraw for me on the x64 box. Grrrrr.

Update No dice on 32-Bit Vista (December CTP) either. Setup completely craps there. Well, so the final option is to install CorelDraw 10 in a 32-Bit virtual machine on my x64 box...

Categories: this | x64
Thursday, 02 February 2006 12:42:21 (W. Europe Standard Time, UTC+01:00)  #    Comments [2]

 



#  Wednesday, 01 February 2006

Guess why I requested to change the password - because PayPal wouldn't let me login with my perfectly valid - and correctly typed - password. And now, when I finally gave in and am in the process of changing the password, it finally remembers that the very same password is currently active. Selective amnesia I suppose.

Categories: this
Wednesday, 01 February 2006 18:08:35 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 

THE security scanner has been made available in version 4.0. Nmap is a tool you should not miss out on when you are in need of scanning networks and hosts.

Categories: Cool Download | Security
Wednesday, 01 February 2006 08:48:16 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Thursday, 26 January 2006

All I wanted to do was post this screenshot to a DasBlog-powered blog:

So as usual, I went to Add Image / Browse... and end up in my user account folder with no useable subfolders thanks to the new restrictions. I fiddled for almost 15 minutes until I gave up - and copied the image to my XP box!

Note to self: next time, install Firefox right away.

Categories: this
Thursday, 26 January 2006 14:14:59 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 

Today, I got this message when I tried to access Microsoft Update on my Windows Server 2003 box. It told me that it either didn't find the control, or that it wasn't installed - and that I should look out for that yellowish bar advertising an ActiveX install attempt. Well...

After some hair pulling, Stephan pointed me to the article ActiveX controls may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688. The downloadable olereg.vbs did the trick - WU is now back in business.

Categories: Administration
Thursday, 26 January 2006 11:35:16 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 

The culprit: http://transfers.one.microsoft.com/ftm/

The error message:

---------------------------
Program Cannot Start or Run
---------------------------
The program or feature "\??\C:\DOCUME~1\CHRIST~1\LOCALS~1\TEMP\~EXB0000\setup.exe"
cannot start or run due to incompatibility with 64-bit versions of Windows. Please
contact the software vendor to ask if a 64-bit Windows compatible version
is available.

It's "only" the FTM that I need for Connect and MSDN Premium downloads! Dear Microsoft, how about a working version for us Windows x64 guinea pigs?

Note: I am complaining about the standalone install, not the ActiveX. But who's using IE these days?

Categories: this | x64
Thursday, 26 January 2006 10:51:06 (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



#  Monday, 23 January 2006

When I installed the QuickTime security fix (v7.0.4 for the records) on my laptop, I finally found out who caused this event log entry on my x64 box:

I didn't pay attention to the files copied when installing on my x64 box, but this incompatible GEARAspi driver is being installed by iTunes (which I still don't get why it is installed when I need QuickTime, but isn't this the kind of "packaging" that got Microsoft into hot water?).

Categories: x64
Monday, 23 January 2006 08:01:52 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



#  Wednesday, 18 January 2006

Yesterday, I picked up on an old code piece of mine - sending images to the client via an HttpHandler. Why in the world would you implement that with a handler when there is http.sys kernel mode caching? Well, I had a few unique constraints:

  • the images had to live outside the Web root and any of its vroots
  • the image names had to be concealed because the naming would give away information, and renaming the images prior to publishing on the Web was out of the question

Now, a common approach to sending images from a certain directory (leaving requirement #2 by the wayside for the moment) would be this:

image.aspx?image=iamthebest.jpg

So what is wrong with this approach? First and foremost using an ASP.NET page. The page lifecycle is a drain on performance and throughput, because you simply don't need it. That sorts out why I chose to go with an HTTP handler.

Secondly, somebody could DOS your server. You heard me right. For the background, check the article Trap Alert: Files that aren't. A .NET version (managed C++) of this checker can be found in this download (the article Dateityp-Ermittlung in Managed C++ is only available in German).

How do you get around this issue? Well, how about reading the directory up front, and instead of having the filename in the URL, send the hash! When the image is requested, take the hash and look up the corresponding file, presto. In addition you get one security feature for free: no directory traversals can be hidden in your code.

When I uncovered the code yesterday, I decided to rewrite it for more general use. So what do you get?

  • The ImageCacheControls project: it contains the ImageCache class, which does most of the heavy lifting. In addition, you get an ImageCacheControl server control, as well as the implementation of the HTTP handler. (Don't forget to check out the Readme.txt for the latest on feature set and known issues)
  • The Web project: a rather simple Web site with demo files in it. The file I want to direct your attention to is Image.ashx. This is the one file - aside from the control project binaries - that needs to be copied to your projects to get started with ImageCache. Note that I made it easy to work with C# (default) or VB.NET.

Usage of ImageCache is demonstrated in default.aspx.cs plus the source code of default.aspx (design time of the control does not work, known issue).

The code behind looks like this (CreateMapping loads the directory contents, initializes the hash to file name map, stores it into the cache):

using ChrisOnNET.ImageCache;

public partial class _Default : System.Web.UI.Page
{
   protected void Page_Load(object sender, EventArgs e)
   {
      // normally, this would be done in global.asax
      ImageCache.CreateMapping("demo", Server.MapPath("~/TestImages/"));

      // the DIY approach to rendering the image tag
      string testHash = ImageCache.GetHashForFile("026.jpg", "demo");
      Response.Write("<image src=\"Image.ashx?bucket=" +
         "demo" +
         "&image=" +
         Server.UrlEncode(testHash) +
         "\" />");

      // the elegant approach to rendering the image tag
      Response.Write("<image src=\"" + ImageCache.GenerateUrl("036.jpg", "demo") +
      "\" />");

      // see HTML source for server control approach (Design time not working, known issue)
   }
}

Rendering Image tags in Page_Load isn't nice, but after all it is only intended to show the functionality. Most likely you are going to use the declarative ImageCacheControl anyways:

<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" %>
<%@ Register Assembly="ImageCacheControls" Namespace="ChrisOnNET.ImageCache" TagPrefix="cc1" %>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <br />Using the ImageCacheControl:&nbsp;
        <cc1:ImageCacheControl ID="ImageCacheControl1"
            Bucket="demo"
            FileName="026.jpg"
            runat="server" />
    </div>
    </form>
</body>
</html>

That's basically it. Let me know what you think.

ImageCacheTakeOne.zip (59.55 KB)

Categories: .NET | 2 Ohhhh | ASP.NET | Use the source Luke
Wednesday, 18 January 2006 11:21:05 (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



© Copyright 2017 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

 
Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.