Bug Vanquisher

21 September 2007

Crimes in ASP.Net Web Forms

Filed under: Bugz, Dev inside! — Tanveer Badar @ 2:59 PM
  • new EventArgs( ), instead of EventArgs.Empty.
  • code.ToString( ), even when typeof( code ).Name is "String".
  • status.ToUpper( ) == "COMPLETED", instead of string.Compare( status , "completed" , true ) == 0
  • System.DateTime.Now.GetType( ) instead of typeof( System.DateTime ) and many similar variations like ( new String( ) ).GetType( ), System.Int32.MaxValue.GetType( ) etc.
  • btnClose_Click( null , null ) instead of btnClose_Click( this , EventArgs.Empty ).
  • Session [ "Name" ] != "" , when the correct code is Session [ "Name" ] != null && !string.IsNullOrEmpty( ( string )Session [ "Name" ] )
  • [Serializable()], when [Serializable] will do
  • _NAME = null; even when _NAME is a class member and not a value type.

And they call me perfectionist!

18 September 2007

Which came first, the phoenix or the flame?

Filed under: Dev inside! — Tanveer Badar @ 10:50 AM

One thing I was thinking last week was do we test our applications against configuration mishaps, as I frequently do during my wanderings in QAland?

I mean, do we verify that the configuration we are reading from app.config/web.config are indeed sane enough to work for us? What if a critical part gets missing from the configuration file, shall the application crash? What if someone intentionally rewrites some or all of them, they are one source of input the application, aren’t they?

Just consider the sorts of attacks which can happen with this data store.

Quoting an example from the code I wrote last week,

AppSettingsReader ConfigReader = new AppSettingsReader();
int a = 0 , b = 0;
try {
a = Math.Abs( int.Parse( ConfigReader.GetValue( “num1” , typeof( int ) ).ToString( ) ) ); }
catch { a = 3; }
try {
b = Math.Abs( int.Parse( ConfigReader.GetValue( “num2” , typeof( int ) ).ToString( ) ) ); }
catch { a = 10; }
mintimeout = Math.Min( a , b );
maxtimeout = Math.Max ( a , b );
System.Thread.Sleep( ( new Random( ) ).Next( mintimeout * 1000 , maxtimeout * 1000 ) );

Notice how I handle the missing key problem from <appsettings> section. Also, consider the sanity check that mintimeout must really be <= maxtimeout because Random.Next throws an exception otherwise. Both values are in second. I, however, do not limit the sleep interval, so anyone could easily come along and set <add key=”num1″ value=”86400″/> and <add key=”num2″ value=”86400″/> to unleash disaster.

Having confessed these concerns to some of the very knowledgeable friends, I got one reply immediately. “Set permissions on web.config so that only a valid user can ‘modify’ it and IIS (and rest of the world maybe) can ‘read’ it. And… use properties!”

Yes, that is the best solution. In.. the ideal world!

But my question was more like this: my example demonstrates that code has a default configuration embedded which cannot be moved out to external store because of the problem already faced with original source. Isn’t it a chicken and egg problem?

And, not even many developers are aware of securing their application, let alone the users. Everyone at my company (and 95% employees are developers, well educated too) logs in using administrative accounts, only I take the trouble of ‘run as’ 100 times a day for LOB applications we use. So how can we expect anyone to recognize the symptoms in the first place, let alone cure the disease?

11 September 2007

Weird, Weirdo or Weirder?

Filed under: Bugz, Debugging — Tanveer Badar @ 3:58 PM

It is up to you to classify the two abnormalities of ASP.Net that ships with netfx 2.

The first one had to do with web services only. I read it on Clemens Vasters blog accidentally. You can read the details there. I am not going to repeat them in this post.

It is the second one which is most cruel. Specifically, MaintainScrollPositionOnPostBack=”true” does not work with AJAX. It seems ScriptManager thinks of it belonging to her mother-in-law. It whines pretty badly.

Even when you are not using AJAX, you are not entirely out of the woods. It can bite you if the page does not have any HtmlForm after PageBuilder is finished with it. I mean, why even check the property to be true of false if there is no form to set that property in the first place.

In a recent application I was working on, we had pages with no form element in them. I set MaintainScrollPositionOnPostBack=”true” in <pages/> section of root web.config and mysteriously those pages could not be rendered.

Now that ASP.Net has an additional ListView control for client side interaction, you will not be able to set MaintainScrollPositionOnPostBack=”true” in any page that uses it because it is built on AJAX.

A similar minor problem happens when you set <deployment retail=”true”/> in machine.config. ASP.Net stops generating details when exceptions are thrown by web applications. Try all you might with <customErrors mode=”off”/>, nothing will work. retail=”true” is the overriding factor here.

All Things ‘Live’

Filed under: Bugz — Tanveer Badar @ 3:21 PM

Yes, everything that could be alive has been moved to Live, or, additionally to Live. The live in Live. From Live.

Meaning, I am using Windows Live Hotmail, Windows Live Messenger, Windows Live Writer, Windows Live OneCare Beta 2, Windows Live Photo Gallery, Windows Live Family Safety etc.

You need to be a US citizen to use some of these, which obviously I am not. Then, how can I say I am using those services? That’s due to services rendered by a website, which enabled me to download the installer. You must agree that this is a bug, because installer should also check the geographical location of its path to Windows Live servers.

7 September 2007

SilverLight Woes!

Filed under: Orcas — Tanveer Badar @ 10:45 AM

You got all excited with the SilverLight 1.0 RTM two days ago. Developing new, unseen cool RIAs. Converting already working applications and web sites to SilverLight. The usual state of affairs.

But stop and think for a moment. Have you tested your SilverLight dependent web site from Windows 2000? SilverLight requirements page says only v1.1 will be supported in future, whose RTM is about 1 year away. SilverLight 1.1 is forward compatible with v1.0, but hey, why should ‘I’ wait for v1.1 to be supported on Windows 2000.

Moreover, even if you try to install either version on Windows 2000, SxS fails and whines that it cannot find gdiplus.dll anywhere in the directories listed in %path%. When you manually copy gdiplus.dll safely to some accessible directory, you get the splash screen saying system configuration not supported.

6 September 2007

Get Your Light Here!

Filed under: Orcas — Tanveer Badar @ 9:49 AM

Get your silverlight here. SilverLight 1.0 RTMed sometime yesterday.

Blog at WordPress.com.