Scott Hanselman

Intellectual property, decompilation, .NET and getting the 'gist'

August 11, '03 Comments [0] Posted in Web Services | ASP.NET
Sponsored By

Sergio Pereira asked a great question in the comments that I wanted to bring out to a full blown post.  He said:

I'm with you on not touching if it works. As a regular user of Reflector I constantly find myself struggling with the moral issues of what I'm doing. Do you consider what you just did a violation of Intellectual Property ?

This is a great question and a slippery slope.  Here's some brainstorming and thoughts to get a discussion started.

To start, I didn't simply "decompile and copy-paste," not only is that shady (not to mention technically infeasible) but it wasn't my intent.  My intent was to get the 'gist' of what is going on inside of ASP.NET's @Page Directive validateInput. 

Some folks could argue that using ILDASM to get the 'gist' of something is stealing intellectual property.  I believe that is usually true.  On the other hand I believe that Microsoft included ILDASM (and provides rich metadata in .NET and didn't obfuscate System.*) and wants us to understand the gist of the Windows .NET Framework.  They also have provided Rotor source code which many people, including myself, use as a reference implementation to get the 'gist/zen/gestalt' of .NET. 

So, what is appropriate use of ILDASM?  If someone ILDASMed the System.Collections and writes a better Dictionary, is that a gray area?  Who first thought up Dictionaries? Do I owe someone royalties?  We all look at other code, other libraries, and internal headers to get the 'gist.' 

However, I'm not going to use this code until I'm satisified that it is righteous.  Perhaps I'll write an MSDN Article on the subject of Cross Site Scripting and this backport.  Perhaps it will be useful and released as a sample, perhaps it will be quashed, perhaps it will be my own personal unused curiousity. Any thoughts ScottGu?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0

August 8, '03 Comments [1] Posted in Web Services | ASP.NET | Javascript | HttpModule
Sponsored By

I don't know if this qualifies as evil, stupid, both, or neither, but here's a story. 

Many clients move at a very, shall we say "measured" pace and don't take upgrading from Framework 1.0 to Framework 1.1 lightly.  We are very security focused here and javascript injection attacks are always a problem.  The client doesn't want want to upgrade to ASP.NET 1.1 until later this year, but they want to make sure they are in some way for script attacks. 

So, what to do?  Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule.  I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.

Again, may be evil, but felt so good.   When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:

<httpModules>
    <add name="ValidateInput" type="Corillian.Web.ValidateInput,ValidateInputASPNET10"
/>
</httpModules>

A couple of interesting questions came up, one of which was...

A while loop is expanded when compiling IL, and the C# equivalent is something like this:

goto L_0045;
L_0040:
   index = (index + 1);
L_0045:
if (index >= len)
{
  
goto L_005E;
}
if (CrossSiteScriptingValidation.IsAtoZ(s[index]))
{
  
goto L_0040;
}
L_005E:

Should I (for tidying up's sake) roll it back up to something like this:

//Programmer intent: look for non-alphas...
while (index < len)
{
  if (!CrossSiteScriptingValidation.IsAtoZ(s[index]))
    
break;
  index++;
}

or just leave well-enough (and well-equivalent) alone?  Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

.Common - beat poetry

August 7, '03 Comments [3] Posted in Musings
Sponsored By

I performed my new beat poem ". <dot> Common" at the LuvJonz last night around 10:30pm to a smoke filled room of very supportive and jazzy people at Ohm

(By the way, The Ohm is now the new home of Johnny Ray's Grill.  I spoke with Johnny Ray briefly, and it's he's got some fantastic beef brisket for like $2.  He'll be open 24 hours on the weekends, so you just gotta get down there and get some grub.)

Anyway, it was a blast, and I hope to be down there more often.  It's a different vibe than Standup, and very different vibe than C# and PowerPoint. (although, not that different if you've ever seen one of my presentations! )

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

I will be there with Managed Bells on...

August 7, '03 Comments [0] Posted in Web Services | TechEd | Speaking | PDC
Sponsored By

I shall be there.  I'm really looking forward to this one.  TechEd is fun, but PDC is the social and technical event of any season.

A picture named PDC2003.gif

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

More interesting code from my buddy Sairama - How to create an object with a private constructor

August 7, '03 Comments [3] Posted in Web Services
Sponsored By

using System;
namespace Corillian.Testing
{
 
     class PrivateClass
      {
            public string Name;
            public int    Age;
            private PrivateClass() 
            { 
                  Name = "not initialized";
                  Age = 0;
            }
      } 

      class Test
      {
            static void Main(string[] args)
            {
                  /// The following statement will not work as the constructor is private
                  /// PrivateClass newpTest = new PrivateClass();
                  /// But you can create the object through Serialization 
                  PrivateClass ptest = (PrivateClass)System.Runtime.Serialization.FormatterServices.GetUninitializedObject( typeof(PrivateClass) );
                  ptest.Name = "Scott";
                  ptest.Age = 0x1D;

                  Console.WriteLine( String.Format("{0} {1}",ptest.Name,ptest.Age );
            }
      }
}

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.