Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 BUG + FIX Insecure post.asp if App variables lost
 Forum Locked  Topic Locked
 Printer Friendly
Previous Page | Next Page
Author Previous Topic Topic Next Topic
Page: of 4

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 23 July 2008 :  17:33:26  Show Profile  Visit HuwR's Homepage
sounds sensible, not sure why rui's test worked though.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 23 July 2008 :  17:45:09  Show Profile  Send ruirib a Yahoo! Message
Padraic,

I really don't see the need for that. If you are reading the configuration values from the DB, without errors, and assigning them to the app variables, you can assume that the configuration was loaded, no?
What would be needed for the app variables to be considered not loaded? The number of read variables? What if, for some reason, there is no STRVersion? We could go on and on with this, always finding some more stringent criteria to be assured of loaded app variables. Where do you stop?

Now, I agree that the test for STRVERSION at the end of config.asp is kinda inconsistent now, you could just as well test for CONFIGLOADED, since it's only filled if there are no errors loading app variables from the DB.


Huw, my test worked, because the config values were read successfully from the DB, there were no errors and then they were loaded into the app variables without errros too. If there was a single error, CONFIGLOADED wouldn't be set to true.


<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 23 July 2008 :  17:58:52  Show Profile  Send ruirib a Yahoo! Message
So, to make it clear, my proposal to fix this, including, the initial fix is:

1. Replace lines# 213-230, config.asp

if blnLoadConfig then
		Application.Lock
		do while not rsConfig.EOF
			Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
			rsConfig.MoveNext
		loop
		Application.UnLock
		rsConfig.close
	end if

	my_Conn.Close
	set my_Conn = nothing

	on error goto 0
	Application.Lock
	Application(strCookieURL & "ConfigLoaded")= "YES"
	Application.UnLock
End If

by

        on error goto 0
	if blnLoadConfig then
		Application.Lock
		do while not rsConfig.EOF
			Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
			rsConfig.MoveNext
		Loop
		
		Application(strCookieURL & "ConfigLoaded")= "YES"

		Application.UnLock
		rsConfig.close
	end if

	my_Conn.Close
	set my_Conn = nothing
	
End If



2. After line 400, add this code:

if Application(strCookieURL & "ConfigLoaded") <> "YES" Or IsNull(Application(strCookieURL & "ConfigLoaded")) Then
	Response.Write("Server Error, The Application variables are not loaded")
	Response.End
end if


With this, the configuration is not considered to be loaded unless all config values are read from the DB and loaded into app values without errors and the way to test if app variables are loaded is consistent throughout the code.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 23 July 2008 :  18:00:54  Show Profile  Visit HuwR's Homepage
yes, but you are still assuming that the code in the if blnloaded section is succesful, but it may not be, so you are still setting Application(strCookieURL & "ConfigLoaded")= "YES" even if infact it may not have done<
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 23 July 2008 :  18:02:08  Show Profile  Visit HuwR's Homepage
what if the bit in red still fails

if blnLoadConfig then
		Application.Lock
		do while not rsConfig.EOF
			Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
			rsConfig.MoveNext
		Loop
		
		Application(strCookieURL & "ConfigLoaded")= "YES"

		Application.UnLock
		rsConfig.close
	end if
<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 23 July 2008 :  18:03:44  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by HuwR

yes, but you are still assuming that the code in the if blnloaded section is succesful, but it may not be, so you are still setting Application(strCookieURL & "ConfigLoaded")= "YES" even if infact it may not have done


Wouldn't the page fail with an an error if the red part failed?
What is the criterium to consider app variables were loaded? A single one variable loaded? 10% percent of them? How can you be assured, if one was loaded successfully, that the others were, too?<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 23 July 2008 :  18:07:04  Show Profile  Send ruirib a Yahoo! Message
Look, I really don't care how it's done, I'm not arm wrestling here, just trying to contribute to a solution that makes sense.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20497 Posts

Posted - 24 July 2008 :  02:03:10  Show Profile  Visit HuwR's Homepage
quote:

Wouldn't the page fail with an an error if the red part failed?

no because of the on error resume next at the top of the section, it would just skip the loop and set configloaded to yes<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 24 July 2008 :  03:51:46  Show Profile  Send ruirib a Yahoo! Message
Ok, added on error goto 0 just before loading the app variables.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 24 July 2008 :  06:53:13  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
quote:
What would be needed for the app variables to be considered not loaded? The number of read variables? What if, for some reason, there is no STRVersion? We could go on and on with this, always finding some more stringent criteria to be assured of loaded app variables. Where do you stop?
Agreed. There are lots of things that could happen which could prevent the the app variables from fully loading. I think ideally we would check for critical app variables which by their absence directly cause private forums to be visible or posts to be posted without a username & password. I'll go through the code to see if I can identify anything in my own time.

I'm happy with the fix as it is but it never hurts to be sure.

Thanks Rui & HuwR for all the work.<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 24 July 2008 :  08:13:21  Show Profile  Send ruirib a Yahoo! Message
In an ideal world, an application should control the errors that may happen and keep them under control. Your idea about the critical app variables makes sense. It kinda troubles me that most ASP apps have negligible error handling. This is so common, that I'm going to refresh a bit on error handling in classic ASP and see if I can write something that actually does not generate server error messages but still finds if there were errors loading the apps or not.

It will run the risk of being the Snitz piece of code that handles errors more carefully, but there is no harm in that. I do believe the current code, as posted here, will stop the situation that originated this fix.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 24 July 2008 :  10:50:42  Show Profile  Send ruirib a Yahoo! Message
Ok, changing my previous proposal for one that handles the errors in a more elegant way, here it goes:

1. Replace lines# 213-230, config.asp

         if blnLoadConfig then
		Application.Lock
		do while not rsConfig.EOF
			Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
			rsConfig.MoveNext
		loop
		Application.UnLock
		rsConfig.close
	end if

	my_Conn.Close
	set my_Conn = nothing

	on error goto 0
	Application.Lock
	Application(strCookieURL & "ConfigLoaded")= "YES"
	Application.UnLock
End If

by

        Dim appVarsLoadError 

	appVarsLoadError = false

	if blnLoadConfig then
		Application.Lock
		do while not rsConfig.EOF
			Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE"))
			
            ' Check for errors loading the variables...
			If Err.Number <> 0 Then appVarsLoadError = true
			
			rsConfig.MoveNext
				
           ' Check again for errors, this time moving to the next record...
			If Err.Number <> 0 Then appVarsLoadError = true


		Loop

		Application.UnLock
		rsConfig.close

		my_Conn.Close
	        set my_Conn = nothing
		
		If Not(AppVarsLoadError) Then
			Application.Lock
	                Application(strCookieURL & "ConfigLoaded")= "YES"
	                Application.UnLock
		Else
			Response.Write("Server Error, The Application variables are not loaded")
			Response.End
		End If

	end if
	
End If


This code removes the need to add the lines in the original post by HuwR to the end of config.asp. The response is ended immeditaly if, at the end of the variables loading code, it is verified that an error ocurred during the loading process.

I tested this code and it works (the previous did too). This just handles the errors that may occur during app variables loading without resorting to ASP default error handling.
<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

richfed
Average Member

United States
995 Posts

Posted - 25 July 2008 :  06:30:40  Show Profile  Visit richfed's Homepage
To be clear - for those of us not so code-savvy, the initial post by Huw DOES work, correct? And the post by ruirib just above this might be considered a more refined version? Either/or will do?

Thanks, guys, for the never-ending support!<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26362 Posts

Posted - 25 July 2008 :  09:15:16  Show Profile  Send ruirib a Yahoo! Message
The initial post by Huw, if the variables are not loaded, likely will require the admin's presence to run setup.asp, to recover from the situation. The code posted by me, above, will not only do the same as Huw's initial proposal, but will recover from the situation automatically, as soon as the web server and database are available again.

In summary, both protect you from the situation that led us to develop the fix, my proposal (in the post above yours) will also recover from the situation automatically.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Panhandler
Average Member

USA
783 Posts

Posted - 25 July 2008 :  09:32:57  Show Profile  Visit Panhandler's Homepage
quote:
Originally posted by ruirib

The initial post by Huw, if the variables are not loaded, likely will require the admin's presence to run setup.asp, to recover fro the situation. The code posted by me, above, will not only do the same as Huw's initial proposal, but will recover from the situation automatically, as soon as the web server and database are available again.

In summary, both protect you from the situation that led us to develop the fix, my proposal (in the post above yours) will also recover from the situation automatically.


That is precisely what happens. . .it took me a while to remember to run setup.asp again to restore the forum.
<
Go to Top of Page
Page: of 4 Previous Topic Topic Next Topic  
Previous Page | Next Page
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2019 Snitz™ Communications Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000 Version 3.4.07