ASP.NET 2.0 introduced a concept of application offline. This mean that when there is App_Offline.htm file in the root of a web application directory then ASP.NET will shut-down the application, unload the application domain from the server, and stop processing any new incoming requests for that application. In ASP.NET 5, there is an open-issue for supporting this feature.
کتاب مقدمهای بر ASP.NET Core 2.0
Security Advisory Notices
CVE-2019-1077 Visual Studio Extension Auto Update Vulnerability
An elevation of privilege vulnerability exists when the Visual Studio Extension auto-update process improperly performs certain file operations. An attacker who successfully exploited this vulnerability could delete files in arbitrary locations. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system. The security update addresses the vulnerability by securing locations the Visual Studio Extension auto-update performs file operations in.
CVE-2019-1075 ASP.NET Core Spoofing Vulnerability
A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect. An attacker who successfully exploited the vulnerability could redirect a targeted user to a malicious website. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.
The security update addresses the vulnerability by correcting how ASP.NET Core parses URLs. Details can be found in the .NET Core release notes.
CVE-2019-1113 WorkflowDesigner XOML deserialization allows code execution
A XOML file referencing certain types could cause random code to be executed when the XOML file is opened in Visual Studio. There is now a restriction on what types are allowed to be used in XOML files. If a XOML file containing one of the newly unauthorized types is opened, a message is displayed explaining that the type is unauthorized.
For further information, please refer to https://support.microsoft.com/en-us/help/4512190/remote-code-execution-vulnerability-if-types-are-specified-in-xoml.
NuGet 2.0 منتشر شد
نسخه جدید برنامه مدیریت بستههای دات نت هم آماده شد. میتونین از اینجا دانلودش کنین. (2.5MB)
طبق آمار خود سایت نوگت تا حالا بیش از 14.6 میلیون بار بستههای اون توسط کاربران دانلود شدن و بیش از 7000 بسته متمایز در این گالری موجوده!
یکی از مشکلاتی که تو این نسخه رفع شده موردی بود که در ارتباطات کند اینترنت بوجود میومد (^). تو کنسول این افزونه پس از وارد کردن قسمتی از نام یک بسته با فشردن کلید TAB نام تمام بستههایی که اول اسمشون اون عبارت تایپ شده باشه، لیست میشه (Tab Completion).
این عملیات در نسخههای قبلی با استفاده از یک درخواست HTML به OData (^) انجام میشد که دادههایی بیش از حد نیاز رو برمیگردوند. اما تو این نسخه این عملیات با استفاده از یک درخواست سریع JSON انجام میشه. (^)
من خودم این ویژگی رو تست کردم و افزایش سرعتش قابل ملاحظه بود!
یکی دیگه بهبودهای حاصله در دریافت بستههای وابسته نسبت به نسخه دات نت فریمورک در پروژه هدف هستش. یعنی میشه تنظیماتی روی بستههای نوگت اعمال کرد تا به صورت هوشمندانه نسخه متناسب با دات نت فریمورک مورد استفاده رو دانلود و نصب کنه.
اگه به صفحه مربوط به مشکلات و درخواستهای کاربران برای این افزونه (^) مراجعه کنین میبینید این دو موردکه تو این نسخه برطرف شدن بیشترین تقاضا رو داشتن. مورد اول با توجه به سرعت پایین اینترنت برای خود من خیلی کاربردیه.
نکته: اگر از VS 2010 SP1 استفاده میکنین هنگام به روز رسانی نوگت با استفاده از Extension Manager خود VS ممکنه با خطا مواجه بشین. اصولا بهترین روش نصب نوگت ابتدا unistall کردن نسخه قدیمی این افزونه از طریق appwiz.cpl و سپس نصب نسخه جدید با اجرای فایل vsix. هست (در هر دو قسمت نیاز به دسترسی administrator دارین).
و در نهایت:
You can develop your own package and share it via the NuGet Gallery. (^)
ویرایش:
متاسفانه دیروز وقت نکردم نتایج آزمایش با Fiddler رو اینجا بزارم.
مورد اول (Tab Completion) رو با سه نسخه از نوگت (1.6 و 1.8 و 2.0) برای دو عبارت jque و signa تست کردم و نتایج بدست اومده به شرح زیره. در زیر url درخواست مربوطه به همراه حجم دیتای دریافتی آورده شده:
نوگت 1.6:
nuget ver 1.6 jque: GET https://nuget.org/api/v2/Packages()?$orderby=DownloadCount%20desc,Id&$filter=startswith(tolower(Id),'jque')%20and%20IsLatestVersion&$skip=0&$top=90 HTTP/1.1 53691 bytes signa: GET https://nuget.org/api/v2/Packages()?$orderby=DownloadCount%20desc,Id&$filter=startswith(tolower(Id),'signa')%20and%20IsLatestVersion&$skip=0&$top=90 HTTP/1.1 11536 bytes
نوگت 1.8:
nuget ver 1.8 jque: GET https://nuget.org/api/v2/Packages()?$orderby=DownloadCount%20desc,Id&$filter=startswith(tolower(Id),'jque')%20and%20IsLatestVersion&$skip=0&$top=90 HTTP/1.1 53694 bytes signa: GET https://nuget.org/api/v2/Packages()?$orderby=DownloadCount%20desc,Id&$filter=startswith(tolower(Id),'signa')%20and%20IsLatestVersion&$skip=0&$top=90 HTTP/1.1 11536 bytes
نوگت 2.0:
nuget ver 2.0 jque: GET https://nuget.org/api/v2/package-ids?partialId=jque HTTP/1.0 598 bytes signa: GET https://nuget.org/api/v2/package-ids?partialId=signa HTTP/1.0 457 bytes
پاسخ سرور به عبارت signa در نسخه 2.0:
HTTP/1.1 200 OK Cache-Control: private Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNetMvc-Version: 3.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 28 Jun 2012 07:23:06 GMT Connection: close Content-Length: 457 ["SignalR","SignalR.Client","SignalR.Client.Silverlight","SignalR.Client.Silverlight5","SignalR.Client.WP7","SignalR.EventStream","SignalR.Hosting.AspNet","SignalR.Hosting.Common","SignalR.Hosting.Owin","SignalR.Hosting.Self","SignalR.Js","SignalR.MicroSliver","SignalR.Ninject","SignalR.RabbitMq","SignalR.Reactive","SignalR.Redis","SignalR.Sample","SignalR.Server","SignalR.StructureMap","SignalR.WebSockets","SignalR.WindowsAzureServiceBus","Signals.js"]
میبینید که غیرقابل مقایسه هستن! و همونوطور که آقای هنسلمن (^) در مورد نسخههای قدیمی گفتن: «دادههای بیش از حد نیاز رو برمیگردونن»
نسخههای قبل از 2.0 همگی از odata استفاده میکردن و دادههای برگشتی تماما encrypt شدهاند. اما در نسخه 2.0 دادههای برگشتی از نوع JSON هست (به Fiddler مراجعه کنین تا تفاوت واقعی رو ببینین. البته برای اینکه دادههای encrypt شده رو در fiddler ببینین باید طبق راهنمایی خودش از تنظیمات مربوط به decrypt ترافیک https استفاده کنین)
روش امن نگهداری پسورد کاربران
/* * Password Hashing With PBKDF2 (http://crackstation.net/hashing-security.htm). * Copyright (c) 2013, Taylor Hornby * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ using System; using System.Text; using System.Security.Cryptography; namespace PasswordHash { /// <summary> /// Salted password hashing with PBKDF2-SHA1. /// Author: havoc AT defuse.ca /// www: http://crackstation.net/hashing-security.htm /// Compatibility: .NET 3.0 and later. /// </summary> public class PasswordHash { // The following constants may be changed without breaking existing hashes. public const int SALT_BYTE_SIZE = 24; public const int HASH_BYTE_SIZE = 24; public const int PBKDF2_ITERATIONS = 1000; public const int ITERATION_INDEX = 0; public const int SALT_INDEX = 1; public const int PBKDF2_INDEX = 2; /// <summary> /// Creates a salted PBKDF2 hash of the password. /// </summary> /// <param name="password">The password to hash.</param> /// <returns>The hash of the password.</returns> public static string CreateHash(string password) { // Generate a random salt RNGCryptoServiceProvider csprng = new RNGCryptoServiceProvider(); byte[] salt = new byte[SALT_BYTE_SIZE]; csprng.GetBytes(salt); // Hash the password and encode the parameters byte[] hash = PBKDF2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE); return PBKDF2_ITERATIONS + ":" + Convert.ToBase64String(salt) + ":" + Convert.ToBase64String(hash); } /// <summary> /// Validates a password given a hash of the correct one. /// </summary> /// <param name="password">The password to check.</param> /// <param name="correctHash">A hash of the correct password.</param> /// <returns>True if the password is correct. False otherwise.</returns> public static bool ValidatePassword(string password, string correctHash) { // Extract the parameters from the hash char[] delimiter = { ':' }; string[] split = correctHash.Split(delimiter); int iterations = Int32.Parse(split[ITERATION_INDEX]); byte[] salt = Convert.FromBase64String(split[SALT_INDEX]); byte[] hash = Convert.FromBase64String(split[PBKDF2_INDEX]); byte[] testHash = PBKDF2(password, salt, iterations, hash.Length); return SlowEquals(hash, testHash); } /// <summary> /// Compares two byte arrays in length-constant time. This comparison /// method is used so that password hashes cannot be extracted from /// on-line systems using a timing attack and then attacked off-line. /// </summary> /// <param name="a">The first byte array.</param> /// <param name="b">The second byte array.</param> /// <returns>True if both byte arrays are equal. False otherwise.</returns> private static bool SlowEquals(byte[] a, byte[] b) { uint diff = (uint)a.Length ^ (uint)b.Length; for (int i = 0; i < a.Length && i < b.Length; i++) diff |= (uint)(a[i] ^ b[i]); return diff == 0; } /// <summary> /// Computes the PBKDF2-SHA1 hash of a password. /// </summary> /// <param name="password">The password to hash.</param> /// <param name="salt">The salt.</param> /// <param name="iterations">The PBKDF2 iteration count.</param> /// <param name="outputBytes">The length of the hash to generate, in bytes.</param> /// <returns>A hash of the password.</returns> private static byte[] PBKDF2(string password, byte[] salt, int iterations, int outputBytes) { Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(password, salt); pbkdf2.IterationCount = iterations; return pbkdf2.GetBytes(outputBytes); } } }
Stack Overflow Developer Desktop Build - 2017
One of the things we're big on at Stack Exchange is hardware - we love it. More importantly, we love not waiting on it. With that in mind, we upgrade our developer machines every 2 years. In case it helps anyone else, I'm posting our current parts list here. This isn't set in stone, we review and update it to the latest tech every time we build a machine. We also customize the build for each developer if needed - for example those needing extra space or specific display connections, etc. I'll try and keep this page updated as we make changes
JS Paint
Classic MS Paint in the browser, with extra features
Windows 95, 98, and XP were the golden years of paint. You had a tool box and a color box, a foreground color and a background color, and that was all you needed.