I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here.

The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.

This is a bit vague, but here is a more frightening part:

The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.

All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.

So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?

How does this issue affect the average ASP.NET developer? Does it affect us at all? In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?

Thanks for your answers!

---

EDIT: I'd like to summarize the responses I got so far.

So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!

About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.

• In posession of the app's machine key, the attacker can decrypt authentication cookies.
• Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.
• It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.
• Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)
• Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)

Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.

• You can encrypt sensitive data with Protected Configuration
• Use HTTP Only cookies
• Prevent DoS attacks

Now, let's focus on this issue.

• Scott Guthrie published an entry about it on his blog
• ScottGu's FAQ blog post about the vulnerability
• ScottGu's update on the vulnerability
• Microsoft has a security advisory about it
• Understanding the vulnerability
• Additional information about the vulnerability

The solution

• Enable customErrors and make a single error page to which all errors are redirected. Yes, even 404s. (ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.
• Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.

Some other thoughts

• Seems that not everyone thinks the workaround is good enough.

Thanks to anyone who cared to answer my question. I learned a lot about not only this issue, but web security in general. I marked @Mikael's answer as accepted, but the other answers are also very-very useful.

What should I do to protect myself?

[Update 2010-09-29]

Microsoft security bulletin

KB Article with reference to the fix

ScottGu has links for the downloads

[Update 2010-09-25]

While we are waiting for the fix, yesterday ScottGu postet an update on how to add an extra step to protect your sites with a custom URLScan rule.

---

Basically make sure you provide a custom error page so that an attacker is not exposed to internal .Net errors, which you always should anyways in release/production mode.

Additionally add a random time sleep in the error page to prevent the attacker from timing the responses for added attack information.

In web.config

<configuration>
 <location allowOverride="false">
   <system.web>
     <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>
 </location>
</configuration>

This will redirect any error to a custom page returned with a 200 status code. This way an attacker cannot look at the error code or error information for information needed for further attacks.

It is also safe to set customErrors mode="RemoteOnly", as this will redirect "real" clients. Only browsing from localhost will show internal .Net errors.

The important part is to make sure that all errors are configured to return the same error page. This requires you to explicitly set the defaultRedirect attribute on the <customErrors> section and ensure that no per-status codes are set.

What's at stake?

If an attacker manage to use the mentioned exploit, he/she can download internal files from within your web application. Typically web.config is a target and may contain sensitive information like login information in a database connection string, or even link to an automouted sql-express database which you don't want someone to get hold of. But if you are following best practice you use Protected Configuration to encrypt all sensitive data in your web.config.

Links to references

Read Microsoft's official comment about the vulnerability at http://www.microsoft.com/technet/security/advisory/2416728.mspx. Specifically the "Workaround" part for implementation details on this issue.

Also some information on ScottGu's blog, including a script to find vulnerable ASP.Net apps on your web server.

For an explanation on "Understanding Padding Oracle Attacks", read @sri's answer.

---

Comments to the article:

The attack that Rizzo and Duong have implemented against ASP.NET apps requires that the crypto implementation on the Web site have an oracle that, when sent ciphertext, will not only decrypt the text but give the sender a message about whether the padding in the ciphertext is valid.

If the padding is invalid, the error message that the sender gets will give him some information about the way that the site's decryption process works.

In order for the attack to work the following must be true:

• Your application must give an error message about the padding being invalid.
• Someone must tamper with your encrypted cookies or viewstate

So, if you return human readable error messages in your app like "Something went wrong, please try again" then you should be pretty safe. Reading a bit on the comments on the article also gives valuable information.

• Store a session id in the crypted cookie
• Store the real data in session state (persisted in a db)
• Add a random wait when user information is wrong before returning the error, so you can't time it

That way a hijacked cookie can only be used to retrieve a session which most likely is no longer present or invalidated.

It will be interesting to see what is actually presented at the Ekoparty conference, but right now I'm not too worried about this vulnerability.

In C# I see that

-1 * int.MinValue == int.MinValue

Is this a bug? It really screwed me up when I was trying to implement a search tree. I ended up using (int.MinValue + 1) so that I could properly negate it.

This is not a bug.

int.MinValue * -1 is 1 greater than int.MaxValue can hold. Thus, the number wraps around back to int.MinValue.

This is basically caused by an integer overflow.

Int32.MinValue:

The value of this constant is -2,147,483,648

Int32.MaxValue:

The value of this constant is 2,147,483,647

So, -2,147,483,648 * -1 = 2,147,483,648 which is 1 greater than Int32.MaxValue.

I've recently started to use the Entity Framework 4.0 in my .NET 4.0 application and am curious about a few things relating to pooling.

1. Connection pooling as I know is managed by the ADO.NET data provider, in my case that of MS SQL server. Does this apply when you instantiate a new entities context (ObjectContext), i.e. the parameterless new MyDatabaseModelEntities()?

2. What are the advantages and disadvantages of a) creating a global entities context for the application (i.e. one static instance) or b) creating and exposing an entities context for each given operation/method, with a using block.

3. Any other recommendations, best practices, or common approaches for certain scenarios that I should know about?

1. Connection pooling is handled as in any other ADO.NET application. Entity connection still uses traditional database connection with traditional connection string. I believe you can turn off connnection pooling in connection string if you don't want to use it.
2. Never ever use global context. ObjectContext internally implements several patterns including Identity Map and Unit of Work. Impact of using global context is different per application type.
3. For web applications use single context per request. For web services use single context per call. In WinForms or WPF application use single context per form or per presenter. There can be some special requirements which will not allow to use this approach but in most situation this is enough.

If you want to know what impact has single object context for WPF / WinForm application check this article. It is about NHibernate Session but the idea is same.

Edit:

When you use EF it by default loads each entity only once per context. The first query creates entity instace and stores it internally. Any subsequent query which requires entity with the same key returns this stored instance. If values in the data store changed you still receive the entity with values from the initial query. This is called Identity map pattern. You can force the object context to reload the entity but it will reload a single shared instance.

Any changes made to the entity are not persisted until you call SaveChanges on the context. You can do changes in multiple entities and store them at once. This is called Unit of Work pattern. You can't selectively say which modified attached entity you want to save.

Combine these two patterns and you will see some interesting effects. You have only one instance of entity for the whole application. Any changes to the entity affect the whole application even if changes are not yet persisted (commited). In the most times this is not what you want. Suppose that you have an edit form in WPF application. You are working with the entity and you decice to cancel complex editation (changing values, adding related entities, removing other related entities, etc.). But the entity is already modified in shared context. What will you do? Hint: I don't know about any CancelChanges or UndoChanges on ObjectContext.

I think we don't have to discuss server scenario. Simply sharing single entity among multiple HTTP requests or Web service calls makes your application useless. Any request can just trigger SaveChanges and save partial data from another request because you are sharing single unit of work among all of them.

Even for a readonly application a global context is not a good choice because you probably want fresh data each time you query the application.

I noticed that the C# compiler generates a ret instruction at the end of void methods:

.method private hidebysig static void Main(string[] args) cil managed
{
    // method body
    L_0030: ret 
} 

I've written a compiler for .NET and it works regardless if I emit a ret statement or not (I've checked the generated IL and it's indeed not in there).

I just wonder: Is ret on methods returning void required for anything? It doesn't seem to do anything with the stack, so I believe it's completely unnecessary for void methods, but I'd like to hear from someone who knows a bit more about the CLR?

According to the C# Standard (ECMA-334), a method is defined as the following:

A method is a member that implements a computation or action that can be performed by an object or class. Methods have a (possibly empty) list of formal parameters, a return value (unless the method’s return-type is void), and are either static or non-static.

(ECMA-334; 8.7.3: Methods).

Now, the CLI standard defines the following:

Control is not permitted to simply “fall through” the end of a method. All paths shall terminate with one of these instructions: ret, throw, jmp, or (tail. followed by call, calli, or callvirt).

(ECMA-335; 12.4, 6)

This means, that in C#, a method returning void does not need a return statement. However, as the C# compiler compiles the C# code to IL Code, which requires a path termination at the end of a method, it emits a ret to end the method.

I want to trigger a task to run on a background thread. I don't want to wait on the tasks completion.

In .net 3.5 I would have done this:

ThreadPool.QueueUserWorkItem(d => { DoSomething(); });

In .net 4 the TPL is the suggested way. The common pattern I have seen recommended is:

Task.Factory.StartNew(() => { DoSomething(); });

However, the StartNew() method returns a Task object which implements IDisposable. This seems to be overlooked by people who recommend this pattern. The MSDN documentation on the Task.Dispose() method says:

"Always call Dispose before you release your last reference to the Task."

You can't call dispose on a task until it is completed, so having the main thread wait and call dispose would defeat the point of doing on a background thread in the first place. There also doesn't seem to be any completed/finished event that could be used for cleanup.

The MSDN page on the Task class doesn't comment on this, and the book "Pro C#2010..." recommends the same pattern and makes no comment on task disposal.

I know if I just leave it the finalizer will catch it in the end, but is this going to come back and bite me when I'm doing lots of fire & forget tasks like this and the finalizer thread gets overwhelmed?

So my questions are:

• Is it acceptable to not call Dispose() on the Task class in this case? And if so, why and are there risks/consequences?
• Is there any documentation that discusses this?
• Or is there an appropriate way of disposing of the Task object that I've missed?
• Or is there another way of doing fire & forget tasks with the TPL?

There is a discussion about this in the MSDN forums.

Stephen Toub, a member of the Microsoft pfx team has this to say:

Task.Dispose exists due to Task potentially wrapping an event handle used when waiting on the task to complete, in the event the waiting thread actually has to block (as opposed to spinning or potentially executing the task it's waiting on). If all you're doing is using continuations, that event handle will never be allocated
...
it's likely better to rely on finalization to take care of things.

I've been using C# for a while, and have recently started working on adding parallelism to a side project of mine. So, according to Microsoft, reads and writes to ints and even floats are atomic

I'm sure these atomicity requirements workout just fine on x86 architectures. However, on architectures such as ARM (which may not have hardware floating point support), it seems these guarantees will be hard.

The problem is only made more significant by the fact that an 'int' is always 32-bits. There are many embedded devices that can't atomically perform a 32-bit write.

It seems this is a fundamental mistake in C#. Guaranteeing the atomicity of these data types can't be done portably.

How are these atomicity guarantees intended to be implemented on architectures where there are no FPUs or 32-bit writes?

There are two issues with regard to "portability":

1. Can an practical implementation of a language be produced for various platforms
2. Will a program written in a language be expected to run correctly on various platforms without modification

The stronger the guarantees made by a language, the harder it will be to port it to various platforms (some guarantees may make it impossible or impractical to implement the language on some platforms) but the more likely it is that programs written in the language will work without modification on any platform for which support exists.

For example, a lot of networking code relies upon the fact that (on most platforms) an unsigned char is eight bits, and a 32-bit integer is represented by four unsigned chars in ascending or descending sequence. I've used a platform where char was 16 bits, sizeof(int)==1, and sizeof(long)==2. The compiler author could have made the compiler simply use the bottom 8 bits of each address, or could have added a lot of extra code so that writing a 'char' pointer would shift the address right one bit (saving the lsb), read the address, update the high or low half based upon the saved address lsb, and writing it back. Either of those approaches would have allowed the networking code to run without modification, but would have greatly impeded the compiler's usefulness for other purposes.

Some of the guarantees in the CLR mean that it is impractical to implement it in any platform with an atomic operation size smaller than 32 bits. So what? If a microcontroller needs more than a few dozen Kbytes of code space and RAM, the cost differential between 8-bit and 32-bit is pretty small. Since nobody's going to be running any variation of the CLR on a part with 32K of code space and 4K of RAM, who cares whether such a chip could satisfy its guarantees.

BTW, I do think it would be useful to have different levels of features defined in a C spec; a lot of processors, for example, do have 8-bit chars which can be assembled into longer words using unions, and there is a lot of practical code which exploits this. It would be good to define standards for compilers which work with such things. I would also like to see more standards at the low end of the system, making some language enhancements available for 8-bit processors. For example, it would be useful to define overloads for a function which can take a run-time-computed 16-bit integer, an 8-bit variable, or an inline-expanded version with a constant. For often-used functions, there can be a big difference in efficiency among those.

I'm new to C#, so apologies if this is an obvious question.

In the MSDN Dispose example, the Dispose method they define is non-virtual. Why is that? It seems odd to me - I'd expect that a child class of an IDisposable that had its own non-managed resources would just override Dispose and call base.Dispose() at the bottom of their own method.

Thanks!

Typical usage is that Dispose() is overloaded, with a public, non-virtual Dispose() method, and a virtual, protected Dispose(bool). The public Dispose() method calls Dispose(true), and subclasses can use this protected virtual method to free up their own resorces, and call base.Dispose(true) for parent classes.

If the class owning the public Dispose() method also implements a finalizer, then the finalizer calls Dispose(false), indicating that the protected Dispose(bool) method was called during garbage collection.

If there is a finalizer, then the public Dispose() method is also responsible for calling GC.SuppressFinalize() to make sure that the finalizer is no longer active, and will never be called. This allows the garbage collector to treat the class normally. Classes with active finalizers generally get collected only as a last resort, after gen0, gen1, and gen2 cleanup.

Pretty simple.

UInteger data type hold any value between 0 and 4,294,967,295. MSDN.

If I try this code in VB.NET I get a compiler error:

Dim Test As UInteger = &HFFFFFFFF

Error: "Constant expression not representable in type 'UInteger'.

Why I can't set 0xFFFFFFFF (4,294,967,295) to a UInteger if this type can hold this value?

I believe it's because the literal &HFFFFFFFF is interpreted by the VB.NET compiler as an Integer, and that value for an Integer is a negative number (-1), which obviously can't be cast to a UInteger.

This issue is easily fixed by writing &HFFFFFFFFUI, appending the UI suffix to treat the literal as a UInteger.

How can I encrypt/decrypt with fuzzy tolerance?

I want to be able to use a Stroke on an InkCanvas as key for my encryption but when decrypting again the user should not have to draw the exact same symbol, only similar. Can this be done in .NET C#?

--- Update (9 sep) ---

What I ideally want is an encryption algorithm that would accept any key in a certain range of keys based on some base-key and a function defining the allowed differences ..

Im doing all encryption/decryption locally so I wont need to send anything over a wire safely. And I dont want to store the key used for encryption, so I wont have anything to compare with. I could come up with some method to generate the same key for every similar stroke but its not easy if a want to accept any kind of symbol (not only letters). The other option is if the encryption key somehow could accept similar keys by design, which I dont know if its possible...?

OK. Let's break your problem into two.

1) Fuzzy 2) Encryption

Reality is both these concepts are relatively old and their implementation have been out there for years. Each deals with the problem at hand very well but this does not mean that combining these two is a good idea. I believe you have to have your solution as a two-stage approach.

First of all encryption standards out there are great in securing the data using a SINGLE EXACT key. In your case you need symmetric encryption algos such as AES or Rijndael.

Fuzzy part of the solution is also not that hard. Like any other fuzzy recognition technique, you need to do a feature extraction and create a vector to be passed to the encryption algo. You need to build fuzziness into your features. For example, number of strokes, quadrant of the start point for each stroke, a factor of curviness for each stroke and the like. This will be enough to build a 32 bit vector to pass to the encryption algorithm.

UPDATE

I will try to make it more illustrative:

2 bits for number of strokes: 1, 2, 3, +3 which translates to 00, 01, 10 and 11

2 bits for quadrant of the start of the first stroke: TopLeft, TopRight, BottomLeft, BottomRightt encodes to 00, 01, 10 and 11

2 bits for quadrant of the end of the first stroke: ditto

2 bits for quadrant of the start of the second stroke: ditto. If no second stroke then 00.

2 bits for quadrant of the end of the second stroke: ditto. If no second stroke then 00.

2 bits for quadrant of the start of the third stroke: ditto. If no third stroke then 00.

2 bits for quadrant of the end of the second stroke: ditto. If no third stroke then 00.

2 bits for curviness of the first stroke: straight->00 ... Nice round->11. This is not going to be very easy and you might reduce the degrees of curviness to 2 and use just one bit but it is a "suck it and see".

So this is 16 bits. You can leave the rest as zero for now and try and see how it works.

Hope this helps.

I have a List of words I want to ignore like this one :

public List<String> ignoreList = new List<String>()
        {
            "North",
            "South",
            "East",
            "West"
        };

For a given string, say "14th Avenue North" I want to be able to remove the "North" part, so basically a function that would return "14th Avenue " when called.

I feel like there is something I should be able to do with a mix of LINQ, regex and replace, but I just can't figure it out.

The bigger picture is, I'm trying to write an address matching algorithm. I want to filter out words like "Street", "North", "Boulevard", etc. before I use the Levenshtein algorithm to evaluate the similarity.

How about this:

string.Join(" ", text.Split().Where(w => !ignoreList.Contains(w)));

or for .Net 3:

string.Join(" ", text.Split().Where(w => !ignoreList.Contains(w)).ToArray());

Note that this method splits the string up into individual words so it only removes whole words. That way it will work properly with addresses like Northampton Way #123 that string.Replace can't handle.

Identical to "How do exceptions work (behind the scenes) in C++", but for C#.

I know that the steps below have to be performed when an exception is thrown.

1. Find the nearest handler for the exception type;
2. Unwind the stack up to the handler level;
3. Call the handler;
4. Find and call every finally blocks.

How does .NET handles these operations? How does the mapping for the "current" handlers work? How much code is emitted in a try/catch block? And in a throw block?

Read Christopher Brumme's article; it gives a very detailed explanation of what happens behind the scenes in CLR exception handling:

http://blogs.msdn.com/b/cbrumme/archive/2003/10/01/51524.aspx

Anyone using NServiceBus 2.0 successfully with Unity 2.0?

I've tried to compile sources of NServiceBus.ObjectBuilder.Unity.dll against Unity 2.0 assemblies but got several compile-time errors because of changed/deleted signatures of many object methods in new Unity.

In the documentation Udi Dahan says that attaching any container is as easy as implementing 5 methods of IContainer. But when i look into NServiceBus.ObjectBuilder.Unity implementation i see that there is a LOT more work to be done. Why it is so?

Unity, by default, behaves different from what NSB expects. That's why there is a need for some custom extensions to make it compatible with ObjectBuilder contract. There are two major differences:

• Unity requires DependencyAttribute to inject dependency into the property. NSB expects ObjectBuilder to inject in any property that with matching type
• When doing property injection unity treats property dependencies as mandatory whereas NSB expects them to be optional.

I believe that these features are preserved in version 2.0 and it will be easy to migrate them. I should have some time this week and I hope I will create a Unity v2 implementation. I'll let you know when it's finished.

Edit: Done. The Unit 2 object builder is in the trunk.

I am trying to take favicons and add them to a dynamic image that I am creating. See StackFlair. The website code works fine locally, and on one shared hosting server. _{blah blah, free hosting plan, you get what you pay for, blah blah} My trouble is that I get an exception from a new hosting setup. This exception only happens for .ico files. I can process .gif and .png images just fine on all servers I've tested (ie, a gravatar image). The favicons I am trying to use are favicons from the SE network, but even http://www.google.com/favicon.ico results in the following exception.

System.ArgumentException: Parameter is not valid.

• System.Drawing.Image.FromStream(Stream stream, Boolean useEmbeddedColorManagement, Boolean validateImageData)
• System.Drawing.Image.FromStream(Stream stream)

The variations of code that I am trying are below. I get the same Parameter not valid exception for all variations.

byte[] imageBytes = //pull from Image field in SQL Server
//or
byte[] imageBytes = new WebClient().DownloadData(imageUrl);


MemoryStream ms = new MemoryStream(imageBytes);
Image image = Image.FromStream(ms);
 //or
Icon icon = new Icon(ms);
Image image = icon.ToBitmap();
//or
Image image = new Bitmap(ms);

---

All of these work just fine locally and on the bad hosting server. None of them work on the server I want to be on. By using Trace output, I can verify that the length of the array contains the correct number of bytes. If I do the following, I see the image displayed as expected.

Response.Clear();
Response.BinaryWrite(imageBytes);
Response.End();

If I loop through the array and write out each byte value, the output is identical from my local instance to the server where I get the exception.

If it helps, the server where my code doesn't work is a Windows 2003 server with sp2.

Clearly the framework is telling me that the stream of bytes is not valid, but everything I've checked, checks out. Any ideas on why this specific server is choking on .ico files?

I have a workaround. Use ImageMagick to convert the ico files to png files:

convert favicon.ico[0] favicon.png

Then those are easy to work with. ImageMagick is pre-installed on lots of shared hosts, or you can download precompiled binaries for Windows.

If you leave off the [0], then you will get a series of files favicon-0.png favicon-1.png etc if there is more than one icon image stored in the .ico file. You will then need to sort through them, to choose the one that is closest to what you want: 16x16 with alpha transparency. (I include 32x32 and 48x48 in my favicon files, for IE users who drag internet shortcuts to their desktop.) ImageMagick preserves the transparency when converting to png.

The stackapps.com/favicon.ico gear icon has two images. The first one has alpha transparency, and looks great on your light grey #DBDCDB background.

I assume you are building a dynamic image like your http://i.imgur.com/SNHfF.png at the server, rather than sending all 6 top site icons to the browser. If not, it's still a good idea to send the icons converted to png, because they were not designed to render within web pages.

...Tom

What is the size of an object reference in .NET? Does it vary between x86, x64, and/or AnyCPU compilation?

If it makes a difference, I'm personally interested in C#.

The reference itself is basically a pointer. 32 bits on a 32 bit OS, 64 bits on a 64 bit OS.

The size of the object that's referenced is more complicated.

If my user is in California and they have their computer set to PST, it's 1:00 pm there. If my server is set to EST, the current server time is 4:00 pm.

I need a way to get the timezone difference between the client and the server, either in Javascript or C#. In my example, I would get 3 (or -3, doesn't matter).

Does anyone know how to do this?

EDIT: Possible solution for RedFilter

Doing it all in javascript:

serverDate = new Date('<%= DateTime.Now.ToString() %>');
clientDate = new Date();
diffMin = (serverDate.getTime()-clientDate.getTime())*1000*60;  //get difference in minutes

Think that would work? Or would both of those return the same time?

You could:

1 - Return the server date to the client as a Javascript date variable.
2 - Create a new javascript date client side (var currentTime = new Date();) and subtract the above date
3 - Post the result back to the server (if necessary; you may only need to know the difference client-side).

Update

Here is an example:

<script>
serverDate = new Date('<%= DateTime.Now.ToString() %>'); 
clientDate = new Date(); 
diffMin = (serverDate.getTime()-clientDate.getTime())/(1000*60);      alert("serverDate: " + serverDate + "\r\n" + "clientDate: " + clientDate + "\r\n" + "diffMin: " + diffMin);
</script>

If the server and client are on the same machine, you will see a diffMin approaching zero. There is a slight difference between the dates due to the time between the server-side script generating the date and the browser parsing and executing the javascript.

I've got the question... Are there any free build servers for .NET applications? We are starting project as remotely working team and right now we are searching for such solution. As far as it's an academic project we do not have funds to buy server and run CC.net on it.. Are there any charge free solutions? Or at least cheap ones...

I'm asking rather about the service on the internet, not software solution ;)

Another idea: do you really need your build server on the internet?

How about putting only your code repository on the internet (Github, Bitbucket, Google Code...)?
One of your project members could set up the build server at home. As long as it's online 24/7, it can pull the repository from the internet, make the build locally and upload the results via FTP to some webspace where you all can access it.

Of course that's not as comfortable as a "real" internet based solution, but cheap.

When using compiled queries in entity framework (or linq-to-sql) in combination with SQL Server, is there actually still any performance benefit in using stored procedures?

Compiled queries will be cached as parameterized queries, so performance should be near equal to stored procedures. Is there any situation where stored procedures would perform significantly better?

-- EDIT --

In response to Yakimych's answer below, I didn't mean to imply that compiled queries are the same as stored procedures. I am trying to figure out if sprocs are still necessary if you have done all possible optimizations on the application side (in this case compiled queries). So I guess I'm looking for reasons why a stored procedure would be better than the combination of application-side optimizations and parameterized queries (which is what compiled queries effectively are).

One of the reasons I'm asking this, is because there are many people who seem to think that stored proedures are no longer necessary for different reasons (i.e. this post).

"Is there any situation where stored procedures would perform significantly better?"

Given a comparable piece of parametrized SQL generated in either EF or a stored proc, they will perform equally.

However, a DBA always has the opportunity to further optimise a query based on their experience with the DB schema and its usage patterns. A stored procedure allows them to do this easily in isolation of the applications using it, whereas an ORM doesn't.

We have an extremely complicated SQL Server DB that has many external systems replicating data in and out via triggers. The issue for us with EF is that the responsibility for the SQL that gets fired at the DB will become the application developers responsibility when using any ORM rather than the DBAs.

I've been struggling to adapt my standard approach for test-driving .NET code to Ruby.

As an example, I am writing a class that will:

grab all *.markdown files from a directory
  foreach file:
    extract code samples from file
    save code to file.cs in output directory

Normally for .NET I'd end up with something like:

class ExamplesToCode {
  public ExamplesToCode(IFileFinder finder, IExampleToCodeConverter converter) { ... }
  public void Convert(string exampleDir, string targetDir) { ... }
}

In my test (written first), I'd mock finder and converter. Then I'd stub out finder.FindFiles("*.markdown") to return say ["file1", "file2"], and check converter.Convert("file1", targetDir) and converter.Convert("file2", targetDir) was called.

Where I struggle applying this to Ruby is that Ruby tends to use blocks and internal iterators (e.g. array.each { |x| puts x }), and including modules over constructor injection. I'm not sure on how to unit test code in those cases (without setting up a full integration test), and the .NET approach just seems incredibly un-rubyish; it seems to fight the way Ruby naturally works.

Any suggestions on how to do this the Ruby way? An example of a Ruby test for this example would be great.

You could have a very course test that goes something like this:

class ExamplesToCodeTest < Test::Unit::TestCase
  def test_convert
    # have some example markdown files in a fixtures directory
    ExamplesToCode.convert("test/fixtures/*.markdown")
    assert_equal expected_output_1, File.read("test/output/file_1.cs")
    assert_equal expected_output_2, File.read("test/output/file_2.cs")
    assert_equal expected_output_3, File.read("test/output/file_3.cs")
  end
  private
    def expected_output_1
      "... expected stuff here ..."
    end
    def expected_output_2
      "... expected stuff here ..."
    end
    def expected_output_3
      "... expected stuff here ..."
    end
end

I suppose that would make a decent integration test, but that's not what I really like, I like to have my code in bite-size chunks

First I'd create a class that can handle parsing a markdown file, e.g.:

class MarkdownReaderTest < Test::Unit::TestCase
  def test_read_code_sample_1
    reader = MarkdownReader.new
    code_sample = reader.read("fixtures/code_sample_1.markdown")
    # or maybe something like this:
    # code_sample = reader.parse(File.read("fixtures/code_sample_1.markdown"))
    # if you want the reader to just be a parser...
    assert_equal code_sample_1, code_sample
  end
  # ... repeat for other types of code samples ...
  private
    def code_sample_1
      "text of code sample 1 here..."
    end
end

Now all the code to read and parse markdown files is in the MarkdownReader class. Now if we don't want to have to actually write files you can get fancy and do some mocking with RR or Mocha or something (I'm using rr here):

class CodeSampleWriter < Test::Unit::TestCase
  include RR::Adapters::TestUnit
  def test_write_code_sample
    # assuming CodeSampleWriter class is using the File.write()...
    any_instance_of(File) do |f|
      mock(f).write(code_sample_text) { true }
    end
    writer = CodeSampleWriter.new
    writer.write(code_sample_text)
  end
  private
    def code_sample_text
      "... code sample text here ..."
    end
end

Now assuming the ExamplesToCode class uses the MarkdownReader and CodeSampleWriter classes, you can again use mock objects with RR like so:

class ExamplesToCodeTest < Test::Unit::TestCase
  include RR::Adapters::TestUnit
  def test_convert
    # mock the dir, so we don't have to have an actual dir with files...
    mock(Dir).glob("*.markdown") { markdown_file_paths }
    # mock the reader, so we don't actually read files...
    any_instance_of(MarkdownReader) do |reader|
      mock(reader).read("file1.markdown") { code_sample_1 }
      mock(reader).read("file2.markdown") { code_sample_1 }
      mock(reader).read("file3.markdown") { code_sample_1 }
    end
    # mock the writer, so we don't actually write files...
    any_instance_of(CodeSampleWriter) do |writer|
      mock(writer).write_code_sample(code_sample_1) { true }
      mock(writer).write_code_sample(code_sample_2) { true }
      mock(writer).write_code_sample(code_sample_3) { true }
    end
    # now that the mocks are mocked, it's go time!
    ExamplesToCode.new.convert("*.markdown")
  end
  private
    def markdown_file_paths
      ["file1.markdown", "file2.markdown", "file3.markdown"]
    end
    def code_sample_1; "... contents of file 1 ..."; end
    def code_sample_2; "... contents of file 2 ..."; end
    def code_sample_3; "... contents of file 3 ..."; end
end

Hopefully this gives you some ideas of how to approach testing in Ruby. Not be inflammatory, but for the most part, dependency injection is not something seen or used in the Ruby world -- it generally adds a lot of overhead. Mocking/Doubles are generally a much better option for testing.

I've developed a .NET 4 software and I'm ready to send it to beta users. If an unhandled exception is thrown in the software, I would like to catch it, log it and send the logs to me. I've already implemented this functionality and it seems to be running fine when I run it in debug mode with Visual Studio. However, when I've built a release version of the software and installed it, Microsoft .NET Framework starts to catch exceptions before my code. I get a popup with an error message: "Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continue."

To test the crashing, I created a crash down button which throws an exception. This crash down logs itself and the exception handler logs all received unhandled exceptions. When I look at the log of the release version, I can only see the log message from crash down but not from the exception handler.

I've attached my own exception handler with this code:

AppDomain.CurrentDomain.UnhandledException += CurrentDomain_UnhandledException;

Is there some way to disable the exception catching of .NET Framework or is there a better way to attach my own exception handler?

UPDATE: I'm using WPF. I'll look into the DispatcherUnhandledException and let you know if it solves the problem.

UPDATE #2: Unfortunately adding handler to Application.Current.DispatcherUnhandledException didn't solve the problem. Apparently this debugging popup is created by JIT (Just-In-Time) debugger which is included with Visual Studio. I'll have to test the software with a "civilian" Windows and see if the exceptions are catched there too.

UPDATE #3: For some reason the Release built with Visual Studio works but the Release built with MSBuild scripts and Dotfuscator does not.

I finally solved the problem. The problem was not caused by listening to wrong exceptions but due to missing a DLL from the released version.

After adding listeners for DispatchedUnhandledException and ThreadException events I no longer got the strange Microsoft .NET Framework popup which allowed the user to continue running the software after exception. However my own exception handling was still broken at this point.

Because the software was already crashing down at the moment when the exception handler was supposed to kick in, I had a catch (Exception) around the exception handler. After removing this catch I finally got the correct error message with release version and added the missing DLLs.

The lesson I learned (again) is: do not use empty catch (Exception) block. It is evil.

Something just occurred to me earlier today that has got me scratching my head.

Any variable of type Nullable<T> can be assigned to null. For instance:

int? i = null;

At first I couldn't see how this would be possible without somehow defining an implicit conversion from object to Nullable<T>:

public static implicit operator Nullable<T>(object box);

But the above operator clearly does not exist, as if it did then the following would also have to be legal, at least at compile-time (which it isn't):

int? i = new object();

Then I realized that perhaps the Nullable<T> type could define an implicit conversion to some arbitrary reference type that can never be instantiated, like this:

public abstract class DummyBox
{
    private DummyBox()
    { }
}

public struct Nullable<T> where T : struct
{
    public static implicit operator Nullable<T>(DummyBox box)
    {
        if (box == null)
        {
            return new Nullable<T>();
        }

        // This should never be possible, as a DummyBox cannot be instantiated.
        throw new InvalidCastException();
    }
}

However, this does not explain what occurred to me next: if the HasValue property is false for any Nullable<T> value, then that value will be boxed as null:

int? i = new int?();
object x = i; // Now x is null.

Furthermore, if HasValue is true, then the value will be boxed as a T rather than a T?:

int? i = 5;
object x = i; // Now x is a boxed int, NOT a boxed Nullable<int>.

But this seems to imply that there is a custom implicit conversion from Nullable<T> to object:

public static implicit operator object(Nullable<T> value);

This is clearly not the case as object is a base class for all types, and user-defined implicit conversions to/from base types are illegal (as well they should be).

It seems that object x = i; should box i like any other value type, so that x.GetType() would yield the same result as typeof(int?) (rather than throw a NullReferenceException).

So I dug around a bit and, sure enough, it turns out this behavior is specific to the Nullable<T> type, specially defined in both the C# and VB.NET specifications, and not reproducible in any user-defined struct (C#) or Structure (VB.NET).

Here's why I'm still confused.

This particular boxing and unboxing behavior appears to be impossible to implement by hand. It only works because both C# and VB.NET give special treatment to the Nullable<T> type.

1. Isn't it theoretically possible that a different CLI-based language could exist where Nullable<T> weren't given this special treatment? And wouldn't the Nullable<T> type therefore exhibit different behavior in different languages?

2. How do C# and VB.NET achieve this behavior? Is it supported by the CLR? (That is, does the CLR allow a type to somehow "override" the manner in which it is boxed, even though C# and VB.NET themselves prohibit it?)

3. Is it even possible (in C# or VB.NET) to box a Nullable<T> as object?

There are two things going on:

1) The compiler treats "null" not as a null reference but as a null value... the null value for whatever type it needs to convert to. In the case of a Nullable<T> it's just the value which has False for the HasValue field/property. So if you have a variable of type int?, it's quite possible for the value of that variable to be null - you just need to change your understanding of what null means a little bit.

2) Boxing nullable types gets special treatment by the CLR itself. This is relevant in your second example:

    int? i = new int?();
    object x = i;

the compiler will box any nullable type value differently to non-nullable type values. If the value isn't null, the result will be the same as boxing the same value as a non-nullable type value - so an int? with value 5 gets boxed in the same way as an int with value 5 - the "nullability" is lost. However, the null value of a nullable type is boxed to just the null reference, rather than creating an object at all.

This was introduced late in the CLR v2 cycle, at the request of the community.

It means there's no such thing as a "boxed nullable-value-type value".