<< Interesting Perf Lesson | Home | Atlas Web Application Project ... >>

OriginUrl Supports Regular Expressions

In a recent post I ranted about how ASP.NET denies WebPermission in Medium Trust. I also mentioned that there may be some legitimate reasons to deny this permission based on this hosting guide.

Then Cathal (thanks!) emailed me and pointed out that the originUrl does not take wildcards, it takes a regular expression.

So I updated the <trust /> element of web.config like so:

<trust level="Medium" originUrl=".*" />

Lo and Behold, it works! Akismet works. Trackbacks work. All in Medium Trust.

Of course, a hosting provider can easily override this as Scott Guthrie points out in my comments. I need to stop blogging while sleep deprived. I have a tendency to say stupid things.

Now a smart hosting company can probably create a custom medium trust policy in order to make sure this doesn’t work, but as far as I can tell, this completely works around the whole idea of denying WebPermission in Medium Trust.

~~If I can simply add a regular expression to allow all web requests, what’s the point of denying WebPermission?~~

Tags: ASP.NET, WebPermission, Medium Trust, Security

What others have said

Rob Conery Oct 19, 2006 5:19 PM

# re: A Hole In Medium Trust Regarding Web Permission

Most ISPs have the primary setting (in the machine.config) set as not overridable. I have tried this many times with regards to PayPal, and would be quite interested if you go it to work on a host like GoDaddy.

scottgu Oct 20, 2006 12:09 AM

# re: A Hole In Medium Trust Regarding Web Permission

Yep -- the behavior to allow a regex to filter is by design. Hosters can then choose to lock this down by wrapping it with a location tag set to override="false".

Hope this helps,

Scott

scottgu Oct 20, 2006 1:19 AM

# re: OriginUrl Supports Regular Expressions

:-)