1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
//------------------------------------------------------------------------------
// <copyright file="EnableViewStateMacRegistryHelper.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//------------------------------------------------------------------------------
namespace System.Web.Util {
using Microsoft.Win32;
using System;
using System.Globalization;
using System.Security.Permissions;
// See DevDiv #461378 for a description of why we authored the EnableViewStateMac patch using this helper class.
internal static class EnableViewStateMacRegistryHelper {
// Returns 'true' if the EnableViewStateMac patch (DevDiv #461378) is enabled,
// meaning that we always enforce EnableViewStateMac=true. Returns 'false' if
// the patch hasn't been activated on this machine.
public static readonly bool EnforceViewStateMac;
// Returns 'true' if all MAC validation errors should be considered harmless
// and ----ed.
public static readonly bool SuppressMacValidationErrorsAlways;
// Returns 'true' if we should suppress MAC validation errors from cross-page
// postbacks.
public static readonly bool SuppressMacValidationErrorsFromCrossPagePostbacks;
// Returns 'true' if we should write out a __VIEWSTATEGENERATOR field alongside
// each __VIEWSTATE field.
public static readonly bool WriteViewStateGeneratorField;
static EnableViewStateMacRegistryHelper() {
// If the reg key is applied, change the default values.
bool regKeyIsActive = IsMacEnforcementEnabledViaRegistry();
if (regKeyIsActive) {
EnforceViewStateMac = true;
SuppressMacValidationErrorsFromCrossPagePostbacks = true;
}
// Override the defaults with what the developer specified.
if (AppSettings.AllowInsecureDeserialization.HasValue) {
EnforceViewStateMac = !AppSettings.AllowInsecureDeserialization.Value;
// Exception: MAC errors from cross-page postbacks should be suppressed
// if either the <appSettings> switch is set or the reg key is set.
SuppressMacValidationErrorsFromCrossPagePostbacks |= !AppSettings.AllowInsecureDeserialization.Value;
}
SuppressMacValidationErrorsAlways = AppSettings.AlwaysIgnoreViewStateValidationErrors;
if (SuppressMacValidationErrorsAlways) {
// Cross-page postbacks fall under the "always" umbrella
SuppressMacValidationErrorsFromCrossPagePostbacks = true;
}
else {
// Need to write the __VIEWSTATEGENERATOR field to differentiate between cross-page
// and same-page postback scenarios.
if (SuppressMacValidationErrorsFromCrossPagePostbacks) {
WriteViewStateGeneratorField = true;
}
}
}
[RegistryPermission(SecurityAction.Assert, Unrestricted = true)]
private static bool IsMacEnforcementEnabledViaRegistry() {
try {
string keyName = String.Format(CultureInfo.InvariantCulture, @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{0}", Environment.Version.ToString(3));
int rawValue = (int)Registry.GetValue(keyName, "AspNetEnforceViewStateMac", defaultValue: 0 /* disabled by default */);
return (rawValue != 0);
}
catch {
// If we cannot read the registry for any reason, fail safe and assume enforcement is enabled.
return true;
}
}
}
}
|
