ASP.NET Security Vulnerability Error Handling Project Part 2
Added note: A patch has been created. See Scott Guthrie's post here.
In ASP.NET Security Vulnerability Error Handling Project Part 1, we discussed implementing a project that utilizes the suggestions made in Scott Guthrie's post on ASP.NET Security Vulnerability. Even after Microsoft releases a patch for this security vulnerability, this working project will still be valuable for generating your error messages and sending emails.
I showed how to setup the web.config file, add the sleep delay, and optionally display the error to the screen for developer debugging. Now we'll discuss the actual error handling.
The complete project can be found in this NannetteThackerErrorHandling.zip file.
In the ErrorHandling class, we retrieve the last error as a System.Exception. We use the function "getDebugValues()" to retrieve more detailed debugging information. We also get the HTML error message. All are sent via email to the email address as setup in the web.config file:
Public Shared Function Application_Error(ByVal getLastError As System.Exception, _ByVal rawUrl As String, ByVal userName As String) As String
Dim getString As String = String.Empty Try ' Get the error details
Dim lastErrorWrapper As HttpException = TryCast(getLastError, HttpException)
Dim lastError As Exception = lastErrorWrapper
Dim lastErrorTypeName As String = lastError.GetType().ToString()
Dim lastErrorMessage As String = lastError.Message
Dim lastErrorStackTrace As String = lastError.StackTrace
Dim ToAddress As String = WebConfigurationManager.AppSettings("ErrorHandlingMailTo")
Dim Subject As String = "An Error Has Occurred!"
getString = getString & "<table cellpadding=""5"" cellspacing=""0"" border=""1"">" & Environment.NewLine
getString = getString & GetValues.FormatTableRow("TIME:", Date.Now().ToString)
getString = getString & GetValues.FormatTableRow("URL:", rawUrl)
getString = getString & GetValues.FormatTableRow("USER:", userName)
getString = getString & GetValues.FormatTableRow("EXCEPTION TYPE:", lastErrorTypeName)
getString = getString & GetValues.FormatTableRow("MESSAGE:", lastErrorMessage)
getString = getString & GetValues.FormatTableRow("STACK TRACE:", lastErrorStackTrace.Replace(Environment.NewLine, "<br />"))
getString = getString & " </table>" Dim body As String = String.Empty
body = String.Format(Environment.NewLine & "<html>" & Environment.NewLine & _
" <body>" & Environment.NewLine & " <h1>An Error Has Occurred!</h1>" & Environment.NewLine)
getString = getString & GetValues.getDebugValues() ' add more details to aid in debugging ' display Yellow Screen of Death for this error
Dim YSODmarkup As String = lastErrorWrapper.GetHtmlErrorMessage()
If Not String.IsNullOrEmpty(YSODmarkup) Then
getString = getString & YSODmarkup
End If
body = body & getString &
" </body>" & Environment.NewLine & "</html>"'For more information on sending email from an ASP.NET application see:'http://aspnet.4guysfromrolla.com/articles/072606-1.aspx
MailHelper.SendMailMessage(ToAddress, Subject, body) Catch ex As Exception End TryReturn getString ' return the getString value to optionally print to screen on debugging... End Function
The getValues class functions are included in the final ZIP project. In ASP.NET Security Vulnerability Error Handling Project Part 3 I'll show the SendMailMessage function.
The complete project can be found in this NannetteThackerErrorHandling.zip file.
May your dreams be in ASP.NET!
