While not exactly as soon as everyone hoped, dasBlog 2.0 is set to be released next Tuesday.  The biggest change is that dasBlog is now compiled under .NET 2.0 and ALMOST fully supports medium trust. The goal of medium trust is for hosting providers to provide functional ASP.NET 2.0 hosting while also protecting against rogue or malicious applications.  Unfortunately that protection comes at the cost of application flexibility. We tried our best but in the battle between security and functionally there are a few features that are limited in a medium trust environment:

  1. SMTP on alternative ports
    • This requires SmtpAccess.ConnectToUnrestrictedPort on the System.Net.Mail.SmtpPermission.  In a default medium trust environment you only get SmtpAccess.Connect, which allows for port 25 access but that's it.  I would assume that this is to prevent spamming and maybe to prevent using the SMTPClient class to launch socket based attacks.
  2. Mail to Weblog via POP3
    • This requires SocketPermission to at least the port and address of your pop3 server.  With the default medium trust settings you do not have any Socket Permissions.  This prevents applications from launching network based attack.  This is especially important if the web server is located behind a firewall because then an asp.net application could access network resources intended to be protected by the firewall.

dasBlog will let you know that you don't have these privileges by displaying warnings on the configuration page:

smtpCapture

pop3Capture

There is some good news though, these limitations won't affect most users.  Many hosting providers that run limited trust environments don't run in the default medium trust, but rather a "modified full trust".  In that case you may already have all the permissions you need for all of the features to work.  

If your hosting provider does run the standard medium trust configuration or their custom trust level doesn't provide the necessary permissions there is still hope. Normally hosting providers allow access to a mail server that runs on port 25.  In most cases it doesn't even matter if the from address dasBlog is using is hosted on that server, as long as you are authenticating with a valid SMTP user.  The POP3 issues is a bit more difficult.  There are legitimate reasons for a provider to limit socket access, but if you ask nicely they might make an exception for the specific POP3 host you are using.  

There is only last consideration that needs to be accounted for in a reduced trust environment.  You can read more details here, but the basic idea is that in the default medium trust environment you can only do outbound web connections that match your originURL.  OriginURL is specified as a regular expression in your web.config file.  Setting it to ".*" will let dasBlog connect to any host.

For more information about dasBlog check out http://www.dasblog.info, and if you are have any questions about medium trust or anything else feel free to post on the dasBlog forms at http://www.dasblog.us

 

 
Posted at 8/12/2007 12:11 AM
Comments [5] - Permalink

Recently I have had tons of referral spam in my blog logs.   I didn't want to mess with IIS filters or modifying the dasBlog source code.  I planned on writing a HTTP Module to check the request against a set of rules to help block invalid request when I found ReverseDOS.  It lets you specify a set of filters as regular expressions and if the request matches any of the filters it blocks the request. SubText (another Open Source ASP.Net blog engine) ships with ReverseDOS and I'm not sure why dasBlog doesn't.

So far this is working quite well.  I had to tweak the filters a bit to match the spam I've been getting and haven't had any issues so far.  Once my filters are tweaked out I'll post my configuration file.

Posted at 5/28/2007 11:07 PM
Comments [1] - Permalink