Thursday, November 24, 2005

Suggestion: SecureWebString

Everybody knows that you should NEVER! NEVER EVER! NEVER EVER EVER, use the values coming off the Querystring or cookies collection without validating them. Yet we forget - It is so easy to do an assignment like this

string s = Request.QueryString["ItemID"];

Yes we forget. And now Microsoft has introduced the ObjectDataSource - which allows you to specify a querystring parameter or a cookie to automaticlly pass to the databinding routine. Where is that going to get validated if the databinding happens automaticlly

Introducing the (suggested) SecureWebString class:

My suggestion is that all web collections/Property bags get rewritten to return a SecureWebString. The secureWebString will encapsulate the actula string containing the parameter and will cry foul (A security exception) if you try to access the value without having validated it.

How do we validate?

The collection or page or global class will have a validateSecureString event that will fire whenver the string is first accessed - this event will receive a non secured version of the string to validate - if the string is valid or it can be corrected by the handler then the string is marked as validated so that it can be acessed by the page code.

This adds a noninvasive auto validation regimin to all the "dangerous" strings out there. So the new objectdatasource will be vey welcome going ahead and reading a querystring parameter - because validation will take place..

A certain level of backwards compatibiliy can be acheveid by overing the = operator to retrurn the string.


Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?