I currently use custom error codes when something goes wrong with my Jquery Ajax calls.
Does this new security issue mean I have to stop using this method for passing information back to my app.
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Is it still possible to pass decent error messages, or is it just one fixed error message. Will this ever be truly fixed开发者_开发问答?
You jQuery Ajax calls probably do not have any encryptions and verifications data to crack.
Yes its possible to pass decent error message but you did not need to give him details for the error code, just tell them that some thinks is going wrong.
Of course this have nothing to do with input validation.
Unfortunately by using the ms workaround you won't be able to return different http error codes.
If those calls don't involve encryption at all, its not part of the vulnerability to pass different error codes back to the client. But as I said, the ms workaround won't allow you to.
If you must, switch to use a workaround that does the very same in Application_Error (including setting the same response code and the random cryptographic delay). You can put some extra custom code, to make sure you can use the special case of your custom error codes.
I recommend applying the ms workaround and waiting for the patch instead of working around it the above way.
精彩评论