tags:

views:

79

answers:

2
+2  Q: 

Why does DotNetNuke have validation disabled?

Can anyone shed some light on why DotNetNuke comes configured with request validation and event validation disabled? They’re both off at the web.config level for a default install which seems to be a regressive approach. Are there any sound reasons for this and what is the functional impact on DotNetNuke if they’re turned back on?

Obviously appropriate input validation should be happening in code anyway but the native .NET framework behaviour is always a nice fallback.

Update: further thoughts on this in Request Validation, DotNetNuke and design utopia

+3  A: 

Global validation of all input is a bad practice. Like most applications DotNetNuke works on a by function by function basis for input validation.

The creation of a vulnerable code is highly dependent on how the user input is being used. For instance SQL Injection and XSS both rely on very different control characters. SQL injection can be caused by not filtering one of three characters '"\, where as most XSS is caused by not filtering <>. SQL Injection can also be caused by not using control characters, for instance this code is vulnerable to SQL Injection because it doesn't have have quote marks around id:

SqlCommand("SELECT username FROM users where id="+id)

Global input validation such as magic_quotes_gpc under PHP will also fail to prevent this type of attack, and that is one of the reasons why its being removed in PHP6.

Rook  2010-02-25 06:19:47
Are you saying global validation itself is bad or only if it is used in place of explicitly validating input on a case by case basis? I fail to see how using it as an additional safety net is ever a bad thing. Certainly Microsoft thought it worth including.
Troy Hunt  2010-02-25 23:09:26
@Troy Hunt Yes global input validation is bad. It makes programmers lazy and it will never be able to prevent all vulnerabilities. Although I admit that magic_quotes_gpc will prevent most sql injection. The problem is that *most* is not good enough, it only takes 1 vulnerability to get Pnw3d. Programmers must be responsible for the vulnerabilities they create and must know how to patch them.
Rook  2010-02-27 01:48:02
+2  A: 

It turns out the folks at DotNetNuke have disabled this in order to facilitate submission of HTML content through rich text controls. Turning off both request and event validation are by design.

I would have preferred to see this done at the page level where required. Global validation in no way absolves the developer from validating input at each point where it’s captured but I still maintain having this feature is good insurance and disabling it does create a risk. I’d be very interested to see how many DNN sites out there have XSS vulnerabilities as a result of no global validation combined with poor development practice.

Troy Hunt  2010-02-25 23:21:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps