Scott Hanselman's ComputerZen.com

There was an interesting bug recently that was initially blamed on Bing. Basically someone searched for something, clicked the first result and got a YSOD (Yellow Screen of Death.)

They were searching Bing.com for this term:

"Eugene Myers's O(ND) Diff algorithm"

When they clicked on a link that looked like a good result, they got a scary YSOD like this:

Eek! That is scary. Because the user clicked a link on Bing and the next thing they got was an error, they figured it was Bing that caused it. Well, indirectly. What went wrong here?

The target site the user was visiting is tracking their visitors, as many sites do and should. When you visit a site from another, HTTP includes a header called "Referer" (yes, it's actually misspelled in the spec, and is misspelled in reality. Welcome to the Web.)

Since they were visiting from here:

http://www.bing.com/search?q=eugene myers's o(nd) diff algorithm&form=qblh

...then that was referrer. However, the trouble happened when the program took the HTTP Referrer blindly and built up an XPath using the HTTP referrer header directly as input.

It appears that this website is storing its tracking details in an XML file, and the programmer is trying to do a lookup on the referrer so he/she can increment a visit.

Notice that they've used a single quote around the string, but the original search included an additional quote in the string "Engine Myers's." The resulting concatenated XPath isn't valid XPath, and the system fails.

Just in case you care, the same problem happens to this poor site when searching from Google:

http://www.google.com/search?q=Eugene+Myers's+O(ND)+Diff+algorithm

Yields:

What's the Back to Basics lesson?  Well, there's a few:

• Trust no user input.
• Input comes from many locations.
  • There's explicit input like Form POSTs, but also implicit input like HTTP Referers and Cookies.
• "Injection" attacks aren't just about SQL Inject.
  • You can inject things into XPath and Regular expressions just as easily and possibly bring down or hang sites, as well as potentially expose private information.
  • Any time you take a string from input of any kind and concatenate it into any language you're giving bad people to be bad.

Interesting (and obscure) stuff!

It's time to remind people about Fusion. Mostly because I don't see as many people using it as should. I mentioned it as long as six (!) years ago and it's still useful. I used it just this week with .NET 4.

Sometimes when an assembly doesn't load, there's still a sense/feeling that "something in the black box has broken." For some folks, the black box is larger and obscures more, than for others. My point is, if you know where to look, there is no box at all.

When it comes to assemblies there's three "times" to know about:

• Binding before it happens - What do you want?
  • ILDASM or Reflector will tell you what your assembly wants (what it was compiled against)
• Binding as it happens - Where does it look?
  • Fusion (the Assembly Binding Log Viewer) will show you all assembly binds if you set the HKLM\Software\Microsoft\Fusion\ForceLog registry value to 1
• Binding after it happens - What did you get?
  • Process Explorer will tell you what DLL (assembly) is loaded in memory and from where it came.

Here's an example of how a tiny bit of digging saved me hours of confusion recently when I hit an unusual edge case. I was doing a build of sample that was showing C# interop-ing with IronPython, but I was using a daily build of .NET 4 and a random build of IronPython.

I made a mistake and had some really old DLLs floating around that I shouldn't have had. My symptom was a FileNotFoundException for the file "System.Dynamic.dll." I KNEW it was in the GAC (Global Assembly Cache) and I could SEE it as a reference DLL in my directory. Can't find the file? Dude, it's right there!

Turning on Fusion Logging

You probably have a tool to help on your development system already. Type "Fusion" in the Start Menu. The Assembly Binding Log Viewer, or "Fusion Log Viewer" will tell the CLR to load assembling binding/loading activities to a folder, then let you see them.

Be sure to run it as Administrator if you want to change the Settings, otherwise they'll be grayed out.

Alternatively, just set the Registry keys your self. (I just memorized them, as I set them all the time.) Set HKLM\Software\Microsoft\Fusion\ForceLog registry value to 1 and HKLM\Software\Microsoft\Fusion\LogPath registry value to C:\FusionLogs or some path that exists.

Personally, I leave this on all the time on my dev machines (there's a small speed hit) and just clean the folder out every once in a while.

Solving My Binding Problem

Once I turned on Fusion Logging I could immediately see a failure in my folder:

The operation failed.
Bind result: hr = 0x80070002. The system cannot find the file specified. 

Assembly manager loaded from:  C:\Windows\Microsoft.NET\Framework\v4.0.xxxxx\clr.dll
Running under executable  C:\Users\Scott\Desktop\TechEd09\FX4\Demo 5 - DLR\Two.IronPythonInterop\bin\Debug\Two.IronPythonInterop.exe
--- A detailed error log follows. 

=== Pre-bind state information ===
LOG: User = HANSELMAN-DEV10\Scott
LOG: DisplayName = System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
LOG: Appbase = file:///C:/Users/Scott/Desktop/TechEd09/FX4/Demo 5 - DLR/Two.IronPythonInterop/bin/Debug/
LOG: Initial PrivatePath = NULL
LOG: Dynamic Base = NULL
LOG: Cache Base = NULL
LOG: AppName = Two.IronPythonInterop.exe
Calling assembly : IronPython, Version=2.6.0.1, Culture=neutral, PublicKeyToken=31bf3856ad364e35.
===
LOG: This bind starts in default load context.
LOG: No application configuration file found.
LOG: Using host configuration file: 
LOG: Using machine configuration file from C:\Windows\Microsoft.NET\Framework\v4.0.xxxxx\config\machine.config.
LOG: Post-policy reference: System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
LOG: GAC Lookup was unsuccessful.
LOG: Attempting download of new URL file:///C:/Users/Scott/Desktop/TechEd09/FX4/Demo 5 - DLR/Two.IronPythonInterop/bin/Debug/System.Dynamic.DLL.
LOG: Attempting download of new URL file:///C:/Users/Scott/Desktop/TechEd09/FX4/Demo 5 - DLR/Two.IronPythonInterop/bin/Debug/System.Dynamic/System.Dynamic.DLL.
LOG: Attempting download of new URL file:///C:/Users/Scott/Desktop/TechEd09/FX4/Demo 5 - DLR/Two.IronPythonInterop/bin/Debug/System.Dynamic.EXE.
LOG: Attempting download of new URL file:///C:/Users/Scott/Desktop/TechEd09/FX4/Demo 5 - DLR/Two.IronPythonInterop/bin/Debug/System.Dynamic/System.Dynamic.EXE.
LOG: All probing URLs attempted and failed. 

You can see that it's looking all over for the file, first in the GAC< then all over the local folders before it gives up. Hm. Why isn't this working? I can see the file sitting right there.

Well, what's the public key token for this signed assembly? I can run "sn -T" on the file:

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0>
sn -T System.Dynamic.dll 

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.xxxxx.1
Copyright (c) Microsoft Corporation.  All rights reserved. 

Public key token is b03f5f7f11d50a3a

Wha? What's b03whatever? That's not b77whatever like the one my app is looking for! Looks like my sample app had reference not only an old version of System.Dynamic, but one with a completely different public key. That's what I get for not cleaning out my obj directories between daily builds.

This could have been just by setting the registry keys and watching the c:\fusionlogs folder, but the Fusion Log Viewer makes the process more user-friendly.

If you're debugging version number mismatches or strong-name mismatches, Fusion will ALWAYS tell you what's really going on. There is no Black Box.

Related Links

• Detailing Failed Assembly Loads with the Assembly Binding Log Viewer ("The Fusion Logger")
• More on Assembly Binding, Strong Naming, the GAC, Publisher Policy and Dynamically Loaded Assemblies
• Gotcha in .NET Framework handling of Versions and Publisher Policies
• Be aware of your DLLs and who's loading them - know about assembly binding redirects
• Richard Grimes' most excellent .NET Fusion Workshop

First, a disclaimer. This is some really seriously guerilla video. Paul Mooney was kind enough to bust out his video camera and film my keynote at Devscovery in NYC this last Monday. (This was the same trip where I hung out at the Fog Creek offices and did a "Hanselminutes on Channel 9" video.)

Paul edited the video and put it up on Blip.tv. Here's a link to the WMV file if you want to download it. You can also watch it embedded at Neuronspark. He put a lot of work into the editing, so thank you Paul for your community efforts!

I was a little silly so it was a lot more informal then most of my talks. I ran it like a classroom/university lecture with a lot of interactivity. Basically, the talk was loose, so be aware.

One of the things that I liked about this talk was that the talk was largely influenced by a StackOverflow question. The idea was to make a talk about Social Networking using a Social Networking site. I also think, that while the question isn't a programming-specific question, it's a good example of all things community (crowd-sourced)-related.

People voted on the best answer, some voted to shut down the question completely (!), comments broke out in the question and some answers, and the question was eventually turned into a "community wiki" question with collective ownership.

Here's a snapshot of the StackOverflow question (in case it's edited). Forgive the self-quoting:

How can social networking sites make you a better developer?

I am giving a keynote at Devscovery tomorrow at 9am. The title is "Social Networking for Developers." It's 90 minutes long and I don't want to waste anyone's time.

Everyone I talk to who uses Twitter, Blogs, StackOverflow, etc, says that these sites make them "better developers." However, few are able to qualify HOW and fewer will are able to quantify HOW MUCH better.

Is it just about getting answers to questions? Is it about the developer's third place?

Help me, O Stack Overflow, O great social network of developers, with my Keynote on Social Networking. ;)

What makes developers, usually an anti-social bunch, strive to use the internet for social purposes?

How do Social Networking sites help you better do your job?

And here's the answer with the most votes, from Rob P.:

• Social Networks are loaded with people who will remind you not to wait until the night before a talk to ask such questions :)

But seriously, I think the biggest thing it does is remind people what a good developer can be. If you are someone who enjoys to go for a jog 2-3 times a week, you could very easily be the best runner you know. You might think that what you do is at or near the limit of what anyone could expect to do.

Until you go to a 5k filled with other serious runners. Then you realize where you stand.

As a younger/not so great developer - I used to think I was a great developer. I was the best developer in my family, the best developer of all my friends and when I finally got into programming classes at school, I was the best then. Even in college. And, honestly, even in a lot of the jobs I've had.

The reminder that there are other people out there who really are leaps and bounds ahead of me and the exposure to things I didn't know existed or were possible - gives me something to strive for.

The answers and resulting discussion, along with some tips I've developed on blogging added up to a fun talk where I eventually ran out of time. I hope to give this talk again in a more organized and formal setting in the future.

Enjoy!

I'm up in Seattle at the ALT.NET Open Space (group DL) and the MVPSummit. "Open Space" is a technique to hold self-organizing conferences. ALT.NET conferences have always been Open Spaces, and if you haven't gone an Open Space conf (of any kind) I recommend you check it out. This is my third (?) ALT.NET conference, and sixth Open Space conference and I always enjoy it more than larger shows.

 Martin Fowler says this about Open Space:

The unusual (and powerful) thing about Open Space is that you don't pre-plan a list of activities and speakers. Instead you provide a basic skeleton of time and space, and the attendees figure out what actually happens. The result is a more participative and energetic event.

What is ALT.NET?

In April of 2007, David Laribee coined the phrase ALT.NET after reading a post by Scott Bellware about the NHibernate Mafia. The core message David was keying off of was the maintainability of a software solution and not the tools involved in creating it.
ALT.NET means many things to many people and the debate will continue about what it means to you.
David proposed ALT.NET signifies:

1. You’re the type of developer who uses what works while keeping an eye out for a better way.
2. You reach outside the mainstream to adopt the best of any community: Open Source, Agile, Java, Ruby, etc.
3. You’re not content with the status quo. Things can always be better expressed, more elegant and simple, more mutable, higher quality, etc.
4. You know tools are great, but they only take you so far. It’s the principles and knowledge that really matter. The best tools are those that embed the knowledge and encourage the principles (e.g. Resharper.)

Robert Scoble introduced me to Kyte.TV last week after he moved a Twitter conversation we were having out of the constrained space of Twitter and into a live video stream with a chat window. As an experiment I recorded a "Hanselminutes Live" using Kyte and it was pretty fun. Fast forward to ALT.NET a week later and I'd forgotten about this. Then I noticed a number of folks on Twitter saying "wish we were there!" I had my webcam with me so I started streaming the sessions I was attending live using Kyte.

Nate Kohari and Ben Scheirman also started recording. Here's the extremely raw video we ended up with. We're still learning, so there's audio and video problems, so set your expectations LOW.

Scott - ALT.NET Recorded .NET Sessions

• Mono on iPhone
• ALT.NET - Why So Mean?
• TDD and Microsoft - Part 1
• TDD and Microsoft - Part 2
• LINQ is Friggin' Awesome
• Offline Web Apps
• How to Present
• Abstracted Fluent Testing

Ben - Recorded ALT.NET Sessions

• Spark View Engine
• Is Persistence Ignorance Necessary?
• Iron Ruby
• Ayende and NHibernate Prof

Nate - Recorded ALT.NET Sessions

• Death of the Relational DB

You can also click the "Shows tab in the embedded interface below:

  Blog posts about ALT.NET Seattle 2009:

• Phil Haack:
  • ALT.NET Seattle Day One
  • ALT.NET Seattle Day Two
  • ALT.NET Seattle Day Three
• Glenn Block
• Steve Bohlen - The Next Best Thing to Being There
• Simone Chiaretta
• Tweets on Twitter about the Kyte.TV ALT.NET conf live streaming

Enjoy!

My one-hundred-and-fiftieth podcast is up. He's back! And he's pissed! (Not really)

RWendi has a review and commentary of the past view week's goings on around Uncle Bob, Joel Spolsky and Jeff Atwood, sparked by Uncle Bob's discussion of  SOLID on show number 145. There's also a breakdown at InfoQ.

In this NEW episode, Scott sits down with Robert C. Martin as Uncle Bob (@unclebobmartin) tries to put the SOLID commandments principle into some perspective.

Here's some alternate titles for this show, suggested by the folks on Twitter!

• "He's back and he's pissed."
• "Bob's your Uncle."
• "Joel Who?"
• "SOLID State"
• "I got your tests right here!"
• "Smack Overflow"
• "Pay Attention This Time: Bob Martin on SOLID"

(No, Bob's not pissed. We're just having a laugh.")

Subscribe:

• Download: MP3 Full Show #150
• Play in your browser.

Do also remember the complete archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

Telerik is our sponsor for this show!

Building quality software is never easy. It requires skills and imagination. We cannot promise to improve your skills, but when it comes to User Interface, we can provide the building blocks to take your application a step closer to your imagination. Explore the leading UI suites for ASP.NET and Windows Forms. Enjoy the versatility of our new-generation Reporting Tool. Dive into our online community. Visit www.telerik.com.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

Enjoy. Who knows what'll happen in the next show?

Technorati Tags: SOLID,OOD,Uncle Bob,Software,Design