SquaredRoot

MVC Controller Action Security Hole

// July 8th, 2008 // 7 Comments » // MVC

The latest of Stephen Walther‘s invaluable ASP.Net MVC Tip series points out a MVC scenario that was previously unknown to me: passing cookies and server variables into controllers as action parameters. While the idea is neat, a comment left by Francois Ward echoed my immediate skepticism over whether this could be safe. After playing around I believe I have confirmed my suspicions that making use of this capability is a Very Bad Idea. (more…)

PagedList Strikes Back

// July 8th, 2008 // 9 Comments » // C#

There is an updated version of the PagedList<T> code available here.

A few months ago I posted about my changes to Rob Conery’s PagedList class. Since writing that article many comments have been left about how to further improve the design, which I have since incorporated into a new, further improved PagedList class. For those who aren’t familiar, the PagedList class allows scenarios such as the following:

   1: public void ListProducts( int pageIndex )

   2: {

   3:     int pageSize = 10;

   4:     var products = productRepository.GetAllProducts()

   5:         .ToPagedList( pageIndex, pageSize );

   6:     return View( products );

   7: }

(more…)

MVC Membership – Preview 3

// July 2nd, 2008 // 17 Comments » // MVC

Tonight we posted a new release of the MVC Membership Starter Kit. This release is an update to migrate the starter kit to the new Preview 3 release of the MVC framework. While several bugs have been squashed, no major new functionality has been added.

If you couldn’t wait and downloaded the source prior to the official Preview 3 release, you’ll still want to download tonight’s official release as several important issues have been addressed.

Bug Fixes in 1.3:

• The System.Web.Abstraction, System.Web.Mvc, and System.Web.Routing DLLs being used prior to tonight were from an earlier Preview 3 release and were not signed by Microsoft.
• Routing ambiguities caused a 404 error to occur when a user enters an incorrect username/password combination on the login page.
• Several errors were occurring on various password recovery screens which created a bad user experience.
• Errors on the administration section’s Create User and Display User pages were preventing that functionality from working at all.

Thanks for all of the interest everyone has shown in this project and thanks to Maarten and Greg for their contributions; especially to Maarten as he did most of the grunt work in upgrading our code base to Preview 3. Please send any feedback you have our way, we’d love to hear it!