Scott Hanselman

These are the little bugs that lead to madness

June 23, '09 Comments [7] Posted in ASP.NET | IIS | Musings
Sponsored By

I received an interesting email today where a fellow was trying to make sure that all browsers could successfully download his company's MSI installer. He had found a blog post that I wrote SIX YEARS AGO on the Content-Disposition header and some trouble I'd had with Check Images. Just in case you're not clear, 6 years is like a century years on the internet.

Here's a little snippet from my incredibly old blog post:

HTTP Headers are name values pairs, so they are easily added with the Response object in ASP or ASP.NET You use it like this (the HTTP Headers):

HTTP/1.1 200 OK
<snip>
Content-Disposition: filename=checkimage.jpg
Content-Length: 76127
Content-Type: image/JPEG

Or, if you want to immediately prompt the user with a File Download Box:

HTTP/1.1 200 OK
<snip>
Content-Disposition: attachment; filename=checkimage.jpg
Content-Length: 76127
Content-Type: image/JPEG

However, Internet Explorer has never really got it right.

Here's a list of gotchas, starting with my own:

  • On IE 6.0, things mostly work, but if you ALSO setup Cache-Control: no-cache, your suggested filename (and type!) will be IGNORED.  A bummer if you have to choose between security and convienence.  Of course, security wins.
  • On IE 4, the attachment option is flaky, see Q182315
  • On IE 5.5, the attachment option is REALLY flaky, see Q267991 and Q279667 and Q281119
  • On IE 5.0, the filename suggested can mangle your filenames, see Q262042
  • On nearly all versions of IE, including 6.0, sometimes the browser will use the filename in the address bar instead of the Content-Disposition Header, and with IE5.5SP2 you're expected to change the UseCDFileName registry key, see Q303750.  This was fixed with IE6.0SP1.

IE's not the only browser with past trouble around this header, but it's been the worst historically. Last year, IE8 made a good move forward when it proposed (during the beta cycle) an "authoritative=true" addition to the Content-Type HTTP header. This would be a way for your server to basically insist that the Content-Type it offered was the correct one. Seems reasonable, like it should have always been that way, eh?

Here's an example on how we'd (under this OLD proposal) force an HTML page to be delivered and rendered as plaintext. Sam Ruby thought it was a good idea as well as sniffing, while inside the HTML5 spec, is generally considered a bad idea.

HTTP/1.1 200 OK
Content-Length: 108
Date: Thu, 26 Jun 2008 22:06:28 GMT
Content-Type: text/plain; authoritative=true;

<html>
<body bgcolor="#AA0000">
This page renders as HTML source code (text) in IE8.
</body>
</html>

Unfortunately this blog post was never updated. EricL (author of Fiddler and very nice person) wrote it, and he'll know I'm not picking on him personally, as this is a huge problem on all blogs, mine included. It's really hard to update old posts when they are obsolete. It's a manual process and all we as bloggers can do is our best to update our old posts with pointers to new information.

Two months later, this post came out and the final design that was agreed on with community feedback looked like this:

Over the past two months, we’ve received significant community feedback that using a new attribute on the Content-Type header would create a deployment headache for server operators. To that end, we have converted this option into a full-fledged HTTP response header.  Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.

For example, given the following HTTP-response:

HTTP/1.1 200 OK 
Content-Length: 108
Date: Thu, 26 Jun 2008 22:06:28 GMT
Content-Type: text/plain;
X-Content-Type-Options: nosniff

<html>
<body bgcolor="#AA0000">
This page renders as HTML source code (text) in IE8.
</body>
</html>

I'd like this post to serve as a reminder to all of us who are blogging technical content to update our posts if and when appropriate, and certainly when a reader points out errata. As the gent who emailed me so wisely put it:

"These are the little bugs that lead to madness."

Thoughts?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Back to Basics - Trust Nothing as User Input Comes from All Over

June 23, '09 Comments [16] Posted in ASP.NET | Back to Basics
Sponsored By

There was an interesting bug recently that was initially blamed on Bing. Basically someone searched for something, clicked the first result and got a YSOD (Yellow Screen of Death.)

They were searching Bing.com for this term:

"Eugene Myers's O(ND) Diff algorithm"

When they clicked on a link that looked like a good result, they got a scary YSOD like this:


Server Error in '/' Application.


'/t:tracking/t:referrer[@url='http://www.bing.com/search?q=eugene myers's o(nd) diff algorithm&form=qblh']' has an invalid token.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Xml.XPath.XPathException: '/t:tracking/t:referrer[@url='http://www.bing.com/search?q=eugene myers's o(nd) diff algorithm&form=qblh']' has an invalid token.
Source Error:

Stack Trace:

[XPathException: '/t:tracking/t:referrer[@url='http://www.bing.com/search?q=eugene myers's o(nd) diff algorithm&form=qblh']' has an invalid token.]

   MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +539

...snip...


Eek! That is scary. Because the user clicked a link on Bing and the next thing they got was an error, they figured it was Bing that caused it. Well, indirectly. What went wrong here?

The target site the user was visiting is tracking their visitors, as many sites do and should. When you visit a site from another, HTTP includes a header called "Referer" (yes, it's actually misspelled in the spec, and is misspelled in reality. Welcome to the Web.)

Since they were visiting from here:

http://www.bing.com/search?q=eugene myers's o(nd) diff algorithm&form=qblh

...then that was referrer. However, the trouble happened when the program took the HTTP Referrer blindly and built up an XPath using the HTTP referrer header directly as input.

It appears that this website is storing its tracking details in an XML file, and the programmer is trying to do a lookup on the referrer so he/she can increment a visit.

Notice that they've used a single quote around the string, but the original search included an additional quote in the string "Engine Myers's." The resulting concatenated XPath isn't valid XPath, and the system fails.

Just in case you care, the same problem happens to this poor site when searching from Google:

http://www.google.com/search?q=Eugene+Myers's+O(ND)+Diff+algorithm

Yields:


Server Error in '/' Application.

'/t:tracking/t:referrer[@url='http://www.google.com/search?q=eugene myers's o(nd) diff algorithm']' has an invalid token.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Xml.XPath.XPathException: '/t:tracking/t:referrer[@url='http://www.google.com/search?q=eugene myers's o(nd) diff algorithm']' has an invalid token.


What's the Back to Basics lesson?  Well, there's a few:

  • Trust no user input.
  • Input comes from many locations.
    • There's explicit input like Form POSTs, but also implicit input like HTTP Referers and Cookies.
  • "Injection" attacks aren't just about SQL Inject.
    • You can inject things into XPath and Regular expressions just as easily and possibly bring down or hang sites, as well as potentially expose private information.
    • Any time you take a string from input of any kind and concatenate it into any language you're giving bad people to be bad.

Interesting (and obscure) stuff!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Accidental Prescience and the Secrets of Project Natal

June 23, '09 Comments [16] Posted in Channel9 | Gaming
Sponsored By

I can't remember which episode, but a few years ago I mentioned on my podcast that I didn't understand why companies were spending so much time with touch screens and multi-touch input devices when we all have a perfectly good input device staring at us, unused, everyday - our webcams. Minority Report was not only a great movie, but a great user experience idea.

Johnny Chung Lee (I thought he and I had a bromance going, but it's just a fauxmance. It's one way, sniff, he doesn't know I'm alive! ;) did some amazing work in this space using the Wii remote a while back.

minority-report

Ever since I saw Minority Report, perhaps even before since it's such an obvious idea, I've been searching and trying to figure out when and how this is going to happen. From my point of view, there's just no reason I shouldn't be able to make a small gesture and push a window over to another monitor. Swipe down in the air, minimize. It if was reliable, it'd be a perfect and elegant addition to the mouse and keyboard.

Johnny now works for Microsoft, and recently we learned that he's been working with the team that is doing Project Natal. If you've been under a virtual rock, here's a video what Natal does. Basically it tracks your body and you become the game controller. If it works, it'll be epic. If it fails, it'll be sad. The real question is WHEN. My bet is Christmas, only because it's obvious.

From Johnny's Blog:

The 3D sensor itself is a pretty incredible piece of equipment providing detailed 3D information about the environment similar to very expensive laser range finding systems but at a tiny fraction of the cost. Depth cameras provide you with a point cloud of the surface of objects that is fairly insensitive to various lighting conditions allowing you to do things that are simply impossible with a normal camera.

But once you have the 3D information, you then have to interpret that cloud of points as "people". This is where the researcher jaws stay dropped. The human tracking algorithms that the teams have developed are well ahead of the state of the art in computer vision in this domain. The sophistication and performance of the algorithms rival or exceed anything that I've seen in academic research, never mind a consumer product. At times, working on this project has felt like a miniature “Manhattan project” with developers and researchers from around the world coming together to make this happen.

Before the world (or I) had ever heard of Project Natal, I pounced on interviewed Johnny at Mix 09 in Las Vegas. Recently Raleigh Buckner mentioned on Twitter that there was a lot "said without actually saying" in that interview, and darn it, he's right. I asked the right questions, and Johnny answered, but we (the collective) didn't see!

Now, go watch the interview again, this time with the knowledge of Project Natal's existence...

Johnny Lee on Computer Vision

Wow. I just bumped into Johnny Lee in the halls here at Mix09. I'm a huge fanboi with a man-crush on this dude. You've seen Johnny before on Channel 9 talking to Robert Hess.  Johnny's a legend (in my mind) in the computer vision space, and he put up with me gushing at him here at Mix09. We chatted in the hall about computer vision, what he's working on, how he got the gig at Microsoft and where he sees the future of human-computer-interaction.

Crazy stuff. I'm very excited to see how far they can take this.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselminutes Podcast 165 - Working Effectively with Legacy Code with Michael Feathers

June 22, '09 Comments [3] Posted in Podcast
Sponsored By

MichaelFeathers My one-hundred-and-sixty-fifth podcast is up. Scott's in Norway this week and he sits down with Michael Feathers. Michael is the author of "Working Effectively with Legacy Code." What is legacy code? Are you writing legacy code right now?

Subscribe: Subscribe to Hanselminutes Subscribe to my Podcast in iTunes

Do also remember the complete archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

Telerik is a sponsor for this show!

Building quality software is never easy. It requires skills and imagination. We cannot promise to improve your skills, but when it comes to User Interface, we can provide the building blocks to take your application a step closer to your imagination. Explore the leading UI suites for ASP.NET and Windows Forms. Enjoy the versatility of our new-generation Reporting Tool. Dive into our online community. Visit www.telerik.com.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

Enjoy. Who knows what'll happen in the next show?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselminutes on 9 - More from Norway, inside the Speaker's Room

June 20, '09 Comments [3] Posted in Channel9 | Speaking
Sponsored By

12693176I'm heading to the Bergen, Norway .NET Users Group today after speaking at the Norwegian Developer's Conference in Oslo.

I've been filming videos in the speaker room with a Creative Vado HD portable Hi-Def video camera. Earlier I filmed:

And before I head to Bergen I wanted to put up one more, this one with Jeremy Miller on "StoryTeller" an acceptance testing framework that he's dogfooding (dogfooding means using your own software first to prove it's useful) with his team. Jeremy's been working and talking about StoryTeller for a while and I'm glad to hear that the work continues and that we'll be able to check it out soon.

Hanselminutes on 9 - Storyteller with Jeremy Miller

Hanselminutes on 9 - Storyteller with Jeremy Miller

I'm heading to the train station now, talk to you soon! I'll leave you with some pics.

1311003612781036

 12798197IMG_0377IMG_0369

  IMG_0364IMG_0361IMG_0358

 IMG_0363IMG_0365

IMG_0370IMG_0360

I'm off, Dear Reader.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.