.Net 4 Security Exceptions

May 4, 2010 at 5:26 PM

I upgraded to VS 2010 when it was released, and just got around to upgrading my main website to .Net 4.  But the blog engine running under the mainsite now fails with security exceptions.

 

This one's down to me! Please accept my apologies for this - I'll see to it that the developer responsible for this happening is given 20 lashes (but only after he or she has fixed this problem).

Url : http://localhost:13769/blog/post.aspx?id=b0e88e4b-8549-4ac7-b00d-e84dc8ba1331

Raw Url : /blog/post.aspx?id=b0e88e4b-8549-4ac7-b00d-e84dc8ba1331

Message : Exception of type 'System.Web.HttpUnhandledException' was thrown.

Source : System.Web

StackTrace : at System.Web.UI.Page.HandleError(Exception e)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest()

at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)

at System.Web.UI.Page.ProcessRequest(HttpContext context)

at ASP.post_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\blog\a38b0af3\f6b053f3\App_Web_ed0f0zsp.12.cs:line 0

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

TargetSite : Boolean HandleError(System.Exception)

Message : Attempt by security transparent method 'Controls.RelatedPosts..ctor()' to access security critical method 'Resources.labels.get_relatedPosts()' failed. Assembly 'App_Code.wuwqmmjh, Version=1.1.0.0, Culture=neutral, PublicKeyToken=null' is marked with the AllowPartiallyTrustedCallersAttribute, and uses the level 2 security transparency model. Level 2 transparency causes all methods in AllowPartiallyTrustedCallers assemblies to become security transparent by default, which may be the cause of this exception

 

It looks like .Net 4 doesn't like the way that the labels and resources are loaded for some reason.  I already tried to set the security level back to the "legacy" security for 2.0, but that didn't solve the problem.

Anytime you go to pull a resource like this:

private string _Headline = Resources.labels.relatedPosts;

It will blow up with that exception.

I have already rebuilt the main core library under .Net 4.  It required changes for the security in .Net 4:

Added to assembly info:

[assembly: SecurityRules(SecurityRuleSet.Level1)]

Anyone else have any ideas?  Or is it only going to support .Net 2?

 

May 4, 2010 at 9:31 PM

I got this to work, but I am not happy about the change.

In your web.config under the system.web section:

    <trust       legacyCasModel = "True"       level="Full" />

But then I still had to remove all the security attributes from the blogengine dll itself in order to get it to work.  But apparently this basically tells the website that it is running full trust and to allow everything for calling assemblies as well.  That doesn't seem like a good idea to me, but it got my blog back up and running under .Net 4 for now.

 

 

Jun 22, 2010 at 3:59 PM

I don't know BlogEngine.NET, but, from the exception message you have reported, maybe I can help you. Try to remove the AllowPartiallyTrustedCallersAttribute from the App_Code.wuwqmmjh assembly. This should resolve the problem. If it remains, or you cannot remove it,  you should use the secannotate.exe tool to discover which attribute you should set.

Try to read this article about Code Access Security in .NET Framework 4.0 and Level2 Security Transparence

Jun 22, 2010 at 7:23 PM
Edited Jun 22, 2010 at 7:37 PM
Following links might be helpful:
http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client
http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes
At least they were for me...
Roland
Jun 22, 2010 at 8:14 PM
Edited Jun 22, 2010 at 9:08 PM

I downloaded the 1.6 source and let Visual Studio 2010 convert it to .NET 4.  I'm currently testing with the latest 1.6.1.x build but expect the same result.  I was able to upgrade it to .NET 4 without any problems.  The only issue I ran into was with the validateRequest="true" attribute of any pages that used the tinyMCE editor.  This was one of the breaking changes in .NET 4.  Evidently that attribute gets ignored both on the pages and in the Web.Config file (although you should never enable globally anyway).

I know this is different from the problem above, however it's related.  If you rebuild the source with .NET 4 as the target framework you'll only need to update the <httpRuntime> node in your Web.Config file to specify that you want to use the .NET 2 version of Request Validation by adding the following:

 requestValidationMode="2.0"

 

UPDATE:  The latest build that includes reCaptcha updated to .NET 4 successfully.  I had to:

1. Change the target framework to .NET 4.0 for both the Core and Site projects.

2. Re-add the reference for the BlogML.dll

3. Update the <httpRuntime> node in Web.config to include:  requestValidationMode="2.0"

4. In the Core project, add a reference to:  System.Web.ApplicationServices

#4 above is required because the MembershipProvider and RoleProvider base have been moved to the new assembly.  I've been testing posts, comments, reCaptcha, and so far everything appears to be working perfectly.

Aug 25, 2010 at 2:42 PM

This worked good however where would be the source code for BlogEngine.Core 1.6.1 ? (are you using the dll for blogengine.core 1.6.1 without the source code?)

Aug 25, 2010 at 2:49 PM

I actually downloaded when it was the latest changeset from the Source Control.  Latest now is 1.6.2.3.  It's not a release version but works fine on my blog:

http://www.dustinhorne.com

If you want to play around with the change sets you can download them here:

http://blogengine.codeplex.com/SourceControl/list/changesets

I just loaded and upgraded the source.

 

Aug 25, 2010 at 2:53 PM

Will you please explain something?

If i wanted to say get the latest of blogengine.core (be it 1.6.1. or 1.6.2.3) how would I do this? (does the changeset include all changes from 1.6.0?) 

thx

Aug 25, 2010 at 2:56 PM

Yes if you want to use 1.6.2.3 it will include everything up to that version.  However, it is a development version, meaning it could have bugs and unintended consequences.  I would recommend using the latest release build if you're using it for production unless you feel comfortable with tweaking it yourself.  The latest 1.6.2.3 is here:

http://blogengine.codeplex.com/SourceControl/changeset/changes/0e304e8a7a96

That will be the source code so you'll have to build it.

Aug 25, 2010 at 3:06 PM

I appreaciate the help.

Still confused here...i am missing something.  The change set above http://blogengine.codeplex.com/SourceControl/changeset/changes/0e304e8a7a96 (download link) has all files for 1.6.2.3 right?) however it doesnt have any files for blogengine.core

I would have expected the download to have both directories for blogengine.core and blogengine.net.  So on codeplex i saw the source for both 1.6.0 for both projects however only the source for the web site (for 1.6.1).  I figured I then needed the respective source for the .core project but am not able to find it. Ideas?

thx

Aug 25, 2010 at 3:16 PM

Good question...I'm not really sure what I did there, but I think I just used the BlogEngine.Core source from the 1.6 release:

http://blogengine.codeplex.com/releases/view/39387#DownloadId=102843

And I used the updated BlogEngine version of the website and BlogML.dll (which are in the 1.6.2.3 download).