Scott Hanselman

TechEd 2003 DVD: Tragedy Strikes! I must buy a lottery ticket...

August 12, 2003 Comment on this post [6] Posted in Web Services | TechEd | Speaking

Sponsored By

Well...there was a 1 in 400 chance, and I was the one. On the TechEd DVD boxed set that contains all the multimedia presentations for the sessions, if you sort by name, and look for DEV389.htm, you'll see DEV387, DEV388, DEV400, waaah?!? Turns out the launching .HTM file is missing from the DVD set for my session. If you look on Disc 2 and dig for the DEV389_files folder, you can launch the default.htm from there and watch the talk with no problems. But, for those using the menuing system (everyone) you'll get a broken link. Bummer.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About Newsletter

Hosting By

Hosted on Linux using .NET in an Azure App Service

Comment on this post [6]

Share on BlueSky or use the Permalink and post anywhere!

Intellectual property, decompilation, .NET and getting the 'gist'

August 11, 2003 Comment on this post [0] Posted in Web Services | ASP.NET

Sponsored By

Sergio Pereira asked a great question in the comments that I wanted to bring out to a full blown post. He said:

I'm with you on not touching if it works. As a regular user of Reflector I constantly find myself struggling with the moral issues of what I'm doing. Do you consider what you just did a violation of Intellectual Property ?

This is a great question and a slippery slope. Here's some brainstorming and thoughts to get a discussion started.

To start, I didn't simply "decompile and copy-paste," not only is that shady (not to mention technically infeasible) but it wasn't my intent. My intent was to get the 'gist' of what is going on inside of ASP.NET's @Page Directive validateInput.

Some folks could argue that using ILDASM to get the 'gist' of something is stealing intellectual property. I believe that is usually true. On the other hand I believe that Microsoft included ILDASM (and provides rich metadata in .NET and didn't obfuscate System.*) and wants us to understand the gist of the Windows .NET Framework. They also have provided Rotor source code which many people, including myself, use as a reference implementation to get the 'gist/zen/gestalt' of .NET.

So, what is appropriate use of ILDASM? If someone ILDASMed the System.Collections and writes a better Dictionary, is that a gray area? Who first thought up Dictionaries? Do I owe someone royalties? We all look at other code, other libraries, and internal headers to get the 'gist.'

However, I'm not going to use this code until I'm satisified that it is righteous. Perhaps I'll write an MSDN Article on the subject of Cross Site Scripting and this backport. Perhaps it will be useful and released as a sample, perhaps it will be quashed, perhaps it will be my own personal unused curiousity. Any thoughts ScottGu?

About Scott

About Newsletter

Hosting By

Comment on this post [0]

Share on BlueSky or use the Permalink and post anywhere!

My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0

August 08, 2003 Comment on this post [1] Posted in Web Services | ASP.NET | Javascript | HttpModule

Sponsored By

I don't know if this qualifies as evil, stupid, both, or neither, but here's a story.

Many clients move at a very, shall we say "measured" pace and don't take upgrading from Framework 1.0 to Framework 1.1 lightly. We are very security focused here and javascript injection attacks are always a problem. The client doesn't want want to upgrade to ASP.NET 1.1 until later this year, but they want to make sure they are in some way for script attacks.

So, what to do? Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule. I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.

Again, may be evil, but felt so good. When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:

A couple of interesting questions came up, one of which was...

A while loop is expanded when compiling IL, and the C# equivalent is something like this:

goto L_0045;
L_0040:
   index = (index + 1);
L_0045:
if (index >= len)
{
   goto L_005E;
}
if (CrossSiteScriptingValidation.IsAtoZ(s[index]))
{
   goto L_0040;
}
L_005E:

Should I (for tidying up's sake) roll it back up to something like this:

//Programmer intent: look for non-alphas...
while (index < len)
{
if (!CrossSiteScriptingValidation.IsAtoZ(s[index]))
break;
index++;
}

or just leave well-enough (and well-equivalent) alone? Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.

About Scott

About Newsletter

Hosting By

Comment on this post [1]

Share on BlueSky or use the Permalink and post anywhere!

.Common - beat poetry

August 07, 2003 Comment on this post [3] Posted in Musings

Sponsored By

I performed my new beat poem ". <dot> Common" at the LuvJonz last night around 10:30pm to a smoke filled room of very supportive and jazzy people at Ohm.

(By the way, The Ohm is now the new home of Johnny Ray's Grill. I spoke with Johnny Ray briefly, and it's he's got some fantastic beef brisket for like $2. He'll be open 24 hours on the weekends, so you just gotta get down there and get some grub.)

Anyway, it was a blast, and I hope to be down there more often. It's a different vibe than Standup, and very different vibe than C# and PowerPoint. (although, not that different if you've ever seen one of my presentations! )