FINAL UPDATE:
This problem is now addressed in the following knowledge base article:
--
If you’ve installed the Validate Path Module because of the vulnerability in ASP.NET on a machine with SQL Server Reporting Services, then you’ve got troubles. Here is the exception I'm seeing:
Request for the permission of type System.Web.AspNetHostingPermission, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
I dumped the PublicKeyBlob of the new assembly with the Caspol.exe utility and granted the module Full Trust (as the other GAC'ed assemblies signed by Microsoft have been given). Place the following into both the rssrvpolicy.config and rsmgrpolicy.config files. I placed the entry just underneath the Microsoft_Strong_Name CodeGroup.
I hope this gets everyone up and running again. If I see any official configuration information from MS, I'll update this post to pass it along
UPDATE Oct 11: No official word yet. If you are getting the following exception after updating both policy files, than restart the web server (IISRESET from the command line will work). Thanks to Adam Creeger for the tip.
Assembly microsoft.web.validatepathmodule.dll security permission grant set is incompatible between appdomains.
Some of these questions keep me thinking during moments of idle processing….
Q: What happens when we use partial page caching and VaryByControl in ASP.NET?
A: I don’t know.
The documentation says “set the VaryByControls parameter to the ID property value of the ASP.NET server control in the user control that you want to vary the user control output by”. OK … but what exactly does the runtime do with the server control you point to? Does it examine a specific property on the control? Does it examine every property on the control? What does it examine, exactly, to determine if this version is different than the cached version?
Q: Why, when I need just 10 minutes of complete silence to finish an idea, do I never get 10 minutes of silence?
A: I don’t know.
At 2 AM in the morning (typically a quiet time), I am finally on the verge of a mental breakthrough and suddenly the sound of squealing tires outside breaks the silence. The sound wouldn’t be all that distracting except the squeal turns into the noise of a drunken teenager carrening his car through the well manicured shrubbery of my neighbor's front lawn. The next noise is the crunchy thump of car meeting ditch. Then come the fire engine sirens, the state police sirens, and the ambulance sirens. Everyone walks away from the accident without physical injury, but I’ve lost my train of thought.
Q: Why do my Outlook 2003 menus no longer drop down when I hit a shortcut key?
A: I don’t know.
I used to hit Alt+E and the Edit menu would drop down. Then I could hit C, for example, and the Copy command would execute. Now I hit Alt+E and the Edit menu just highlights. Hitting an accelerator key like C then doesn’t do anything at all. Aggravating!
Q: What does it take to get some link love from Rory Blyth?
A: I don’t know.
However, Rory is having a contest, and you can win a nice prize.
Q: Why does Virtual PC give misleading numbers in the task manager?
A: I don’t know.
With the VPC beta you could launch VPC and look in task manager and see a reasonable approximation of how much RAM the virtual machines were using. Since the release I look at Virtual PC while I am running a machine with 512MB of RAM and VirtualPC.exe is only using 17MB of RAM. Weird.
Q: What is the deal with my PocketPC and Secure Digital Memory Cards?
A: I have no idea.
Sometimes the contents of my SD cards simply disappear - all the files are gone. Sometimes the cards fill up with directories named ‘.’. I’ve tried two different cards in two different Pocket PCs – it happens on every combination. I use the cards to carry MP3 files around – nothing important – and I used to play the MP3s with Windows Media player. I thought it might be WMP wiping out the storage cards – so I tried Pocket Music, but the same thing happens. I’ve tried utilities to reformat the cards. I’ve tried utilities to scan for defects – none. I don’t know anyone else with this problem, so I’m beginning to wonder –
Q: Do I attract more cosmic rays than the average human?
A: I don't know.
[Currently listening to: NOTHING! And it's nice and quiet that way (0:10)]
Q: Where does the WYSIWYG editor come from?
A: The WYSIWYG editor is an HTML component (HTC). In the CSK, you can find a file named HtmlTextBox.htc that implements the HTML editor component. The HTC file uses a mixture of HTML, JavaScript, styles, and object tags to implement the editor.
It looks as if Paul Abraham has broken out the HtmlTextBox.htc file from the CSK and repackaged the component into a standalone assembly. I haven’t tried this but it looks interesting. Another editor I've seen in applications is the control from from FreeTextBox.com. There is also an assortment of editors and other controls in the ASP.NET content management control gallery.
Q: Can we port the CSK to Oracle?
A: Backend portability was not in the design goals for the CSK. It is possible, but requires some work. First, there is a total of about 200 stored procedures and user defined functions (UDFs) in the SQL Server database you’ll need to port over to Oracle. Each class representing a content type in the domain model architecture of the CSK will also need to be modified – as they are using the SQL Server specific SQL provider classes of ADO.NET. The good news is, once you get all that done – it’s all downhill!
Q: Why do the ASCX files have no code-behind?
A: Unfortunately, I tried to cover too much in this presentation and didn’t get to address this issue properly. Usually when we build ASCX files, we drop controls in the ASCX and in the code behind the ASCX we tell the controls what to display. The CSK works a little differently. We still put controls into the ASCX but the controls themselves are highly customized and already know what they need to display.
The ASCX files then strictly serve as skins. They are simply there to layout where the controls will appear. There is no logic associated with the ASCX file – no code. Each control is customized to do a specific duty. For example, when you plop a community:Author control on the page, the Author control knows it has to display the author’s name for a piece of content. All of the logic is inside this web control - the skin file determines where the control will display.
Q: Are there any sites supporting fixes and customizations of the CSK?
A: Three I know of, there could be more…
Stephen Redd’s Site (full of CSK Articles, Mods, and Fixes)
Dave Rank’s Personal Web Site
Matthew Roche’s CSK Resources
Q: What is the ASP.NET vulnerability you were rambling about?
A: This is not related to the CSK – it’s a bug in the ASP.NET runtime and is very serious. You need to view the following Microsoft documents and implement the suggested fix as soon as possible until a patch can be provided.
What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
Programmatically check for canonicalization issues with ASP.NET
WebRequest request = WebRequest.Create(someUrl);
using(WebResponse response = request.GetResponse())
{
using(StreamReader reader = new StreamReader(response.GetResponseStream()))
{
string result = reader.ReadToEnd();
}
}
Unfortunately, StreamReader is only good for reading text. When it comes to binary data the result has a good chance of being incomplete. The approach for binary data is to stick to the basic Stream type and read raw bytes.
byte[] result;
byte[] buffer = new byte[4096];
WebRequest wr = WebRequest.Create(someUrl);
using(WebResponse response = wr.GetResponse())
{
using(Stream responseStream = response.GetResponseStream())
{
using(MemoryStream memoryStream = new MemoryStream())
{
int count = 0;
do
{
count = responseStream.Read(buffer, 0, buffer.Length);
memoryStream.Write(buffer, 0, count);
} while(count != 0);
result = memoryStream.ToArray();
}
}
}
P.S. IDisposable lurks everywhere!. It’s a shame some classes use an explicit interface implementation and hide the Dispose method from Intellisense.
P.P.S. Commercials are the best things going on Monday Night Football these days. Except the commercials for other ABC shows. I don't know why I turn on television.
I got word this week from Tony Elias, development editor for MSDN Magazine, that I'll be in the January issue with my article “Living The Static Life”. The article will cover all the deep, dark secrets you ever wanted to know about shared and static members of a class. Visual Basic.NET and C# code included!
OdeToCode by K. Scott Allen
Subscribe
Twitter
Search
About
Learn C#