First shot at fixing dasBlog medium trust issues

So far I have managed to get my dasBlog up and running. But in doing so I have disabled and broken several features:

  • No HttpCompression
  • No date picker while editing
  • No Pingback/trackback support

It seems that I have also broken my FreeTextBox editing control. I believe that this may be an unrelated issue to the medium trust fixes and wont get into that in this post.

How could I get the broken features back up again? The strong naming issues that affect SharpZipLib and BasicDatePicker are easy to fix since there is a new free version of BasicDatePicker available BasicDatePicker Lite, the new version is not strong named and may require you to recompile dasBlog. SharpZipLib is open source so you can download it and add:

using System.Security;
[assembly:AllowPartiallyTrustedCallers]

to assemblyinfo.cs then just recompile and these functions should be up and running again, you may have to install SharpDevelop to compile the code for SharpZipLib. Any changes that were made to web.config or aspx pages to disable the functions need to be reverted and recompiled. Your web.config will need to be updated with a new version for SharpZipLib:

<dependentAssembly>
  <assemblyIdentity entityname="ICSharpCode.SharpZipLib"publicKeyToken="1b03e6acf1164f73"culture="neutral"/>
  <bindingRedirect oldVersion="0.5.0.0-0.84.0.0"newVersion="0.85.0.0"/>
</dependentAssembly>

After doing this I received an “Invalid use of response filter” exception (more info at dasBlog.us) which turns out to be because my host already implements httpCompression, but disabling the blowery handler sorted it out.

TrackBack support

The main problems that remain are getting TrackBack and PingBack support. I will start by looking at getting TrackBacks working. The problem with TrackBacks is that they require dasBlog to call a web page on another site and network access to other servers is not allowed by default under medium trust so this jut won’t work. I checked the TrackBack protocol to see if I could find any workarounds that could be applied. Reading the spec I realised that TrackBacks do not require the call to originate from the server that hosts the blog, if we could implement this as a client call then we could theoretically allow TrackBacks under medium trust.

I started by implementing a very simple html page to post a trackback call to localhost.

<html>
  <body>
    <form method=post action=http://localhost/Trackback.aspx?guid=3d9f45e4... enctype="application/x-www-form-urlencoded;charset=utf-8">
      <input type="hidden" name="title" value="SuperTrackback 1"/>
      <input type="hidden" name="excerpt" value="This is a vlient trackback call."/>
      <input type="hidden" name="url" value=http://localhost/Trackback.aspx?guid=dc205699.../>
      <input type="hidden" name="blog_name" value="TestBlogger"/>
      <input type=submit name="doit" value=1>
    </form>
  </body>
</html>

I have hardcoded the trackback urls just for testing. Of course it was not as easy as just posting the call since dasBlog includes spammer protection by checking the url in the trackback call. We have to disable spammer protection by checking if we can call the url at runtime in TrackBackHandler.cs (added lines are highlighted) .

Entry entry = dataService.GetEntry( entryId );
if ( entry != null )
  {
  System.Net.WebPermission urlPermission = new WebPermission(System.Net.NetworkAccess.Connect,url);
  if(System.Security.SecurityManager.IsGranted(urlPermission))
    {
    try
      {
      string requestBody = null;
      // see if this is a spammer
      HttpWebRequest webRequest = WebRequest.Create(url) as HttpWebRequest;
      webRequest.Method="GET";
      webRequest.UserAgent = Utils.GetUserAgent();
      ...
      ...
      }
    catch
      {
      // trackback url is not even alive
      logService.AddEvent(new EventDataItem(EventCodes.TrackbackBlocked, context.Request.UserHostAddress + " because the server did not return a valid response", Utils.GetPermaLinkUrl(entryId), url, entry.Title));
      context.Response.StatusCode = 404;
      context.Response.End();
      return;
      }
    }
    // if we've gotten this far, the trackback is real and valid
    Tracking t = new Tracking();
    t.PermaLink = url;
    t.RefererBlogName = blog_name;
    t.RefererExcerpt = excerpt;

This allows an anonymous caller to add a TrackBack to our blog but it also enables incoming TrackBacks under medium trust. This is only half of the solution for TrackBacks; we have opened up dasBlog för incoming calls to our TrackBackHandler but we still have to make calls to remote trackback urls. The next step would be to implement initiate a client-side trackback call to a remote server from inside dasBlog, this can be done in an AJAX (or is it Ajaxian) manner using XMLHttpRequest in JavaScript http://developer.mozilla.org/en/docs/AJAX:Getting_Started. I will cover this and tackling the spammer threat in future posts, since I haven’t implemented a solution yet.

4 Responses to “First shot at fixing dasBlog medium trust issues”

Read below or add a comment...

  1. Aaron says:

    FreeTextbox has an update that allows me to run it under medium trust. Are you running asp.net 1.1 or 2.0?
    I have found the exception handling also does not work when running under asp.net 2.0 in medium trust.

  2. Joshua says:

    I’m running .net 1.1, I know that the medium trust settings for .net 2.0 have been changed so some of the issues that I have been working on may not be relevant for 2.0. In addition some hosts such as GoDaddy have added additional permissions for medium trust such as WebPermission for outbound http and https requests http://help.godaddy.com/article.php?article_id=1039&topic_id=216
    Under the default .net 1.1 and .net 2.0 medium trust levels outbound web requests are not allowed.

Leave a Reply to Satchel Cancel reply

*