#222 SecurityExceptions after post using WLW

closed
nobody
5
2008-03-20
2008-02-26
No

After posting (dasBlog 2.0.7226.0) using Windows Live Writer I saw many SecurityExceptions in the events at the server related to pings (PingbackWorker, auto-discovery and PingWeblogsWorker):

Error:
System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net.HttpWebRequest..ctor(Uri uri, ServicePoint servicePoint)
at System.Net.HttpRequestCreator.Create(Uri Uri)
at System.Net.WebRequest.Create(Uri requestUri, Boolean useUriBase)
at System.Net.WebRequest.Create(Uri requestUri)
at CookComputing.XmlRpc.XmlRpcClientProtocol.GetWebRequest(Uri uri)
at CookComputing.XmlRpc.XmlRpcClientProtocol.Invoke(Object clientObj, String methodName, Object[] parameters)
at CookComputing.XmlRpc.XmlRpcClientProtocol.Invoke(String MethodName, Object[] Parameters)
at newtelligence.DasBlog.Runtime.Proxies.WeblogUpdatesClientProxy.Ping(String weblogName, String weblogUrl)
at newtelligence.DasBlog.Runtime.BlogDataServiceXml.PingWeblogsWorker(Object argument)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Net.WebPermission
The Zone of the assembly that failed was:
MyComputer
while processing PingWeblogsWorker, pinging PubSub.

====================

Error:
System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net.HttpWebRequest..ctor(Uri uri, ServicePoint servicePoint)
at System.Net.HttpRequestCreator.Create(Uri Uri)
at System.Net.WebRequest.Create(Uri requestUri, Boolean useUriBase)
at System.Net.WebRequest.Create(Uri requestUri)
at newtelligence.DasBlog.Runtime.BlogDataServiceXml.PingbackWorker(Object argument)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Net.WebPermission
The Zone of the assembly that failed was:
MyComputer
while processing PingbackWorker, auto-discovery of: http://www.thawte.com/.

========================
Error:
System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net.HttpWebRequest..ctor(Uri uri, ServicePoint servicePoint)
at System.Net.HttpRequestCreator.Create(Uri Uri)
at System.Net.WebRequest.Create(Uri requestUri, Boolean useUriBase)
at System.Net.WebRequest.Create(Uri requestUri)
at newtelligence.DasBlog.Runtime.BlogDataServiceXml.PingbackWorker(Object argument)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Net.WebPermission
The Zone of the assembly that failed was:
MyComputer
while processing PingbackWorker, auto-discovery of: http://technorati.com/tags/free%20e-mail%20certificate

Discussion

  • Logged In: YES
    user_id=1356966
    Originator: NO

    If you're running in Medium Trusts, please add the originUrl attribute to allow outgoing web requests:
    <trust level="Medium" originUrl=".*" />

     
    • status: open --> pending
     
  • Logged In: YES
    user_id=714452
    Originator: YES

    I'm hosting dasBlog at webhost4life.com, AFAIK not a medium trust hoster.
    But if so, where does that config setting lives? In web.config?

     
    • status: pending --> open
     
  • Logged In: NO

    It does live in web.config under the system.web element. Since 2.0 we swichted the defaults to Medium Trust, so it may well be that it's configured for your blog.

     
    • status: open --> pending
     
    • status: pending --> open
     
  • Logged In: YES
    user_id=714452
    Originator: YES

    Looks like you are right: the line in my web.config looks like that:
    <trust level="Medium" originUrl="" />
    I added the ".*" to the attribute and think that issue can be closed.
    Why is it not delivered that way (instead of an empty attribute)?
    At least there should be a comment in the admin page (where I can configure the ping backs) that one have to apply that to work successfully (or change it automatically if a ping back is checked on)...

     
    • status: open --> closed