Re: [Mono-aspnet-list] nginx + multiple fastcgi-mono-server4 instance => WebResource.axd 404 error

Wed, 02 Jan 2013 05:20:54 -0800

Based on the source code of Mono's System.Web.Handlers.AssemblyResourceLoader I think that the implementation is flawed.
I am going to describe the problem, but I think that you should file a bug report. 


Although it is using a hashing algorithm that always results in the same 
hash for the same script resource, hashes are not generated and stored 
in the dictionaries unless a link is generated, thus a resource is not 
available until a link to it was generated by the same AppDomain before.



As such even AppDomain restarts can trigger the problem, although a 
simple refresh on the page fixes it by generating hashes for the web 
resources that subsequently can be retrieved from the server, provided 
that there is only one AppDomain (one process, one server) serving the 
requests.



As I see at least the assembly name should be included in the query 
string, resource hashes can be regenerated based on 
WebResourceAttributes of the assembly.



To prevent loading arbitrary assemblies, the assembly name should be 
encrypted using the machine key and also should be signed using HMAC to 
avoid padding oracle vulnerability similar to CVE-2010-3332 that the MS 
implementation had (encrypted view state, forms authentication cookie, 
and WebResource.axd were all affected).


Kornel

On 1/2/2013 12:34 PM, Ovidiu Deac wrote:

I'm running nginx which does load balancing over several instances of
fastcgi-mono-server4

Apparently when a webresource link is handled by a different
fastcgi-mono-server than the one which originally produced the link it
returns a 404 error.

I have set a persistent machinekey as recommended for webfarms but the
problem still remains.

Any idea what else could be wrong?

If it makes any difference: the application is written with
F#/WebSharper and we disabled the session state and the forms
authentication.

Thanks


_______________________________________________
Mono-aspnet-list mailing list
Mono-aspnet-list@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-aspnet-list


_______________________________________________
Mono-aspnet-list mailing list
Mono-aspnet-list@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-aspnet-list






















					Reply via email to