This is old hat and more of a bookmark for me when I bump into this each time I'm working with XML documents that have default namespace declared. But I thought I'd share anyway.

Take the following simple XML document:

<?xml version="1.0" encoding="utf-8" ?>
<products xmlns="urn:backoffice:products">
   <product id="100-1100">
      <description>JVC CD Player</description>
      <price>120.99</price>
      <category>100</category>
   </product>
   <product id="100-1101">
      <description>Sony CD Player</description>
      <price>122.99</price>
      <category>100</category>
   </product>
   <product id="100-1102">
      <description>LG DVD Player</description>
      <price>109.99</price>
      <category>110</category>
   </product>
   <product id="100-1103">
      <description>Technics DVD Player</description>
      <price>199.99</price>
      <category>110</category>
   </product>
</products>

You might expect that the code to select all the product nodes would look like:

XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
nsm.AddNamespace("", "urn:backoffice:products");
XmlNodeList productList = products.SelectNodes("/products/*", nsm);

The above seems the logical thing to do because the default namespace doesn't have a prefix so you naturally go ahead and specify String.Empty (or "", whichever) when adding it to the namespace manager. Additionally if you execute the code and breakpoint after setting adding the namespace and inspect the DefaultNamespace property of 'nsm' you'll see that it's even set to "urn:backoffice:products". However, the XmlNodeList returned from products.SelectNodes has no nodes.

This confused the hell out of me when I first encountered it way back when and I tripped up on it again last week. What's going on?

Basically XPath expressions select nodes that are either in a namespace or in the empty namespace. The XPath expression '/products/*' is selecting nodes from the empty namespace (xmlns="") but the document above is defining a default namespace of 'urn:backoffice:products' which is not the empty namespace. We have to tell XPath to select nodes from the namespace 'urn:backoffice:products' otherwise no nodes will be returned.

So how do we do this?

We add the namespace with an arbitrary prefix and the XmlNamespaceManager is used to expand 'p' to the default namespace name which then brings the nodes we're interested in into scope.

One thing still puzzles me though is the purpose of the DefaultNamespace property in the XmlNamespaceManager and I guess some digging around will uncover it's intentions because the MS docs are pretty vague.

I haven't done the show for a couple of weeks, mostly because I fancied a couple of Fridays off just to finish work and kick back in front of the telly and catch up on some reading. Also I've been feeling a bit burned out and there's no point sitting in the studio with a lacklustre and last minute choice of tunes and no research and just playing tunes like a robot.

That said, it hasn't kept me from adding a few new items to my music library over the past few weeks -

Mogwai - Mr Beast their newest release and Come on Die Young and Young Team just to complete the set. I'm also seeing them in Edinburgh in April at the Queens Hall. Looking forward to it immensely.

The Dandy Warhols - Come Down, Dandy's Rule Ok, Odditorium Or Warlords of Mars, Thirteen Tales... and Welcome to the Monkey House. I was really put off the Dandy's because of that infernal Vodafone(?) advert which ruined a perfectly good tune. I'm glad I revisited them as they're bloody marvelous.

65 Days of Static - Fall of Math, One For All Time. These guys are just amazing and I'd say they're one of the standard bearers of the 'post rock' movement. If you like Mogwai then your gonna love these guys.

Sparklehorse - I already had 'It's a Wonderful Life' and figured it was time to flesh out with Good Morning Spider, Vivadixiesubmarinetransmissionplot.

Roxy Music - Roxy Music, For Your Pleasure, Stranded, Country Life and Siren. I had these one tape years ago and they were ridiculously cheap on Amazon's marketplace.

The Wedding Present - George Best, Seamonsters, Bizarro and Take Fountain.

The Delays - Faded Seaside Glamour and You See Colours

So as you can see I've got a lot of listening to catch up on and I now need a bigger shelf for my CD's. Anyway I'll be back on the radio next week and if you're in the Perth or Pitlochry area next Friday then tune into 97.5FM between 10pm and midnight.

It's that time of year again for the South by South West Festival (SxSW - March 10th - 19th) in Austin Texas. I first heard about SxSW last year when I started tuning into BBC Radio 6 a bit more frequently (Stuart Maconie's Freak Zone to be precise). The festival has a fairly electic schedule of bands playing and it was where (on radio 6) I first heard what has become one of my favourite bands - The American Analogue Set. You should checkout radio 6 next week for ongoing coverage. Next year I'll maybe make it over there and also to another festival in the states I've wanted to attend for years.

If you host your ASP.NET 1.x website with a hosting company that allows the use of Microsoft Access databases and SQL Server and you host in a shared environment then take some time to consider how secure your SQL data is, or rather possibly isn't.

I have shared hosting accounts with a couple of very well known ASP.NET hosting companies. To  discover how secure the shared ASP.NET environments were I found that I was able to traverse out of my web folder to other users web directories and read their web.config files (and of course their SQL Server connection strings and other such goodies).

To use Access databases you generally utilise the data access classes in System.Data.OleDb. There's an unfortunate shortcoming about System.Data.OleDb which is that you need to be running ASP.NET under Full Trust to use it. The security impact of this in a shared hosting environment is that users can exploit this, as I did, to begin touring other customers website folders in search of secrets such as SQL connection strings.

In a shared hosting environment each website runs under it's own unique IUSR_<xxx> anonymous user account and ASP.NET is set to impersonate that account for each request that is handled by the site. The <identity/> impersonate attribute is set to 'true' in the server's machine.config file like this -

    <identity impersonate="true" userName="" password=""/> 

The web folder, which is the root of your website, also has at least the following NTFS permissions on it - read/write access for the IUSR_<xxx> account and Read access for the ASP.NET worker process account (NETWORK SERVICE if running Windows 2003 or ASPNET if running under Windows 2000). As you can see, the worker process account has read access to every site on the shared server. The reason for this is that ASP.NET needs to be able to monitor the web folders for file changes and to be able to read your ASP.NET files (.aspx, .ascx, dll's etc) to be able to compile them.

If you execute this page script on in your website you can discover what your anonymous user account is:

<%@ Page language="c#" runat="server"%>
<%@ Import Namespace="System.Security.Principal" %>
<script runat=server>
   void Page_Load(Object sender, EventArgs e) {
   Response.Write("<b>Identity:</b>" + WindowsIdentity.GetCurrent().Name + "<br/>");
}
</script>

Let's modify the script to this:

<%@ page language="c#" runat="server"%>
<%@ Import Namespace="System.Security.Principal" %>
<%@ Import Namespace="System.Runtime.InteropServices"%>
<script runat=server>
[DllImport(@"C:\WINDOWS\system32\advapi32.dll")]
public static extern bool RevertToSelf();
void Page_Load(Object sender, EventArgs e) {
   Response.Write("<b>Identity:</b>" + WindowsIdentity.GetCurrent().Name + "<br/>");
   RevertToSelf();
   Response.Write("<b>Identity:</b>" + WindowsIdentity.GetCurrent().Name + "<br/>");
}
</script>

If your server is running ASP.NET under Full Trust then the RevertToSelf() function ends the impersonation and the remainder of the request executes under the worker process identity, otherwise you'll get an exception thrown (to obtain the path to the system32 directory examine value of the System.Environment.SystemDirectory property).

So what does this mean? The worker process account has read permission to every website folder on the server so it's possible (and I did) to write a script to traverse these folders and harvest web.config files. In fact it's also possible to harvest critical information from every folder that the worker process account has read rights on.

To mitigate this issue you could run each website in it's own application pool and give each application pool it's own identity and each web folder would have NTFS permissions for each of those identities. However this is not really a practical or manageable solution because in a shared hosting environment there can be anything between 500 to 1000 websites. Can you imagine managing up to 1000 application pools and worker processes on the web server? Can you imagine the ACL management for all of those areas that ASP.NET likes to touch? Also your $10.00 a month hosting company is unlikely to give you your own application pool and identity, no matter how nicely you ask, because it's just not economically viable for them. They are more likely to suggest that you buy one of their dedicated server solutions.

So the bottom line is this. If you're hosting on a shared environment and your hosting company allows the use of Access databases then beware that your sensitive SQL data is at risk because -

• to use Access means ASP.NET 1.x has to run at Full Trust
• Full Trust means that the user can call RevertToSelf() to end impersonation and run as the worker process identity
• most likely all the websites run in the same worker process under the same identity
• the worker process identity will have read access to your web folders

Fortunately in ASP.NET 2.0 the Full Trust issue is more or less fixed (System.Data.OleDb and System.Data.Odbc can run under Medium Trust) but if the server is running both ASP.NET 1.x and ASP.NET 2.0 you're still not secure.

Thanks to Dominick for the time spent discussing this.

Update:

I did some poking around and found this article by K. Scott Allen which is worthwhile taking a look at.

I just finished K-Pax III: The Worlds of Prot the third and final installment about the mysterious 'prot' character who claims to be from the planet K-Pax. It's a pretty light hearted affair and has all the welcome familarity of the characters and settings of the previous two books about Gene and prot. That said I didn't feel there was as much substance in this encounter with prot as the original K-Pax but it's still a good read if you're in between a couple of heavier tomes. 7/10.