MVC3 Released

Today Microsoft announced the (actual, final, honest) releases of:

  • ASP.NET MVC3 with Razor
    • Lots of new features, the new Razor syntax, more extensibility hooks, new JavaScript features, better validation, easier caching, better dynamic support, and lots more, check it out Hot smile

Open Redirection Attack prevention

If you've had a look at the MVC3 preview generated code you will notice the  Url.IsLocalUrl method getting called from the LogOn action.

[code:c#]

[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (Url.IsLocalUrl(returnUrl))
            {
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
            ModelState.AddModelError("",
            "The user name or password provided is incorrect.");
        }
    }
 
    // If we got this far, something failed, redisplay form
    return View(model);
}

[/code]

This prevents philishing attacks by ensuring that after a successful log on the user only gets directed to the local site and not another site.

Take for example I send you a email with a link to /Account/LogOn?returnUrl=http://brainkeating.net/Account/LogOn
After you successfully enter your log on detail @ briankeating.net you would get redirected to www.brAInkeating.net if you are not quick enough to notice you could now be presented with an identical logon page at this different url, oh darn i typed my password wrong...., BrAIn Keating is a nasty piece of work, he will log your login details to his database and then use it to access briankeating.net with our credentials, not after you login @ brAInkeating.net you will get redirected back here to briankeating.net (where you've already authenticated and be none the wiser).

So what if you are still on MVC2 (most of my web apps these days are...) what can you do to avoid this attack...

That;s an easy one to answer, I've been a lazy bugger and lifted this code from www.asp.net

[code:c#]

public bool IsLocalUrl(string url) {
    return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
        RequestContext.HttpContext.Request, url);
}

[/code]

The IsUrlLocalToHost method contains the actual validation logic below

[code:c#]

public static bool IsUrlLocalToHost(this HttpRequestBase request, string url) {
    if (url.IsEmpty()) {
        return false;
    }
 
    Uri absoluteUri;
    if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri)) {
        return String.Equals(request.Url.Host, absoluteUri.Host,
            StringComparison.OrdinalIgnoreCase);
    }
    else {
        bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
            && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
            && Uri.IsWellFormedUriString(url, UriKind.Relative);
        return isLocal;
    }
}

[/code]

 

Oracle Database Restore

How to create an oracle user/schema and resore an existing database to this new schema.

 

drop tablespace xxx_demo_data including contents and datafiles;


CREATE TABLESPACE xxx_demo_data
       DATAFILE 'd:\oradata\abci\xxx_demo.DBF '
       SIZE 10M
       AUTOEXTEND ON NEXT 10M
       MAXSIZE UNLIMITED;

drop user xxx_demo cascade;
 
   CREATE USER xxx_demo
       IDENTIFIED BY xxx_demo
       DEFAULT TABLESPACE xxx_demo_data
       TEMPORARY TABLESPACE temp;


GRANT CREATE SESSION TO xxx_demo;  

GRANT CREATE TABLE TO xxx_demo;
GRANT CREATE VIEW TO xxx_demo;
GRANT CREATE SEQUENCE TO xxx_demo;
GRANT CREATE TRIGGER TO xxx_demo;
GRANT RESOURCE TO xxx_demo;

ALTER USER xxx_demo QUOTA unlimited ON xxx_demo_data;

// change the passworkd.
//drop to command line

impdp xxx_demo/{passwd} DIRECTORY=expdp_dir DUMPFILE=20101220-DEMO.DMP REMAP_SCHEMA=xxx:xxx_demo  REMAP_tablespace=xxx:xxx_demo

Asyncronous WF4 activities

Anyone that's ever written UX/GUI code will know that while it once was acceptable (unavoidable) to block the UX thread with long running operations, it's now almost always done in a background thread/task etc.

Well with WF4 it's pretty much the same story, it's not the best idea to block the workflow thread while preforming longing running operations.

Take the following example, where I make a webservice call to a server for some information, webservices can take quite some time depending on network load latency etc.

public sealed class GetCurveTenor : AsyncCodeActivity

    {

        public InArgument<string> CurveUri { get; set; }

        public OutArgument<Dictionary<DateTime, double>> CurveDetail { get; set; }

 

        protected override IAsyncResult BeginExecute(

            AsyncCodeActivityContext context, AsyncCallback callback,

            object state)

        {

            Func<string, Dictionary<DateTime, double>> asyncWork =

                curveUri => RetrieveCurveDetail(curveUri);

            context.UserState = asyncWork;

            return asyncWork.BeginInvoke(

                CurveUri.Get(context), callback, state);

        }

        protected override void EndExecute(

            AsyncCodeActivityContext context, IAsyncResult result)

        {

            Dictionary<DateTime, double> curveDetail =

                ((Func<Int32, Dictionary<DateTime, double>>)

                    context.UserState).EndInvoke(result);

            if (curveDetail != null)

            {

                CurveDetail.Set(context, curveDetail);

            }

        }

 

        private Dictionary<DateTime, double> RetrieveCurveDetail(string curveUri)

        {

            Dictionary<DateTime, double> result = new Dictionary<DateTime, double>();

            // Do server stuff ...

            return result;

        }

    }

Most of the code above should be self explanatory.
If you've not seen the "Func" syntax before it's basically just a delegate defined like this (in .NET 4)

public delegate TResult Func<in T, out TResult>(T arg);  (Note the .NET 4 in modifier to indicate contravariance)

I've used lambdas to point to delegate towards the RetrieveCurveDetails function, it's this function that gets executed on the background thread.

Hope this has been of some assistance.