Application Security Testing: An Integral Part of DevOps
Environment: VC6 SP1, SP2, SP3, NT4 SP4
ATL has no native string class. To manipulate strings, you have several choices: Standard Template Library (STL), roll-your-own C++ classes, or the tried-and-true MFC CString class. The problem with CString, though, is that it's part of the MFC library. Many developers will include MFC support in their ATL servers just to get the CString class. However, this defeats ATL's goal of producing small, efficient, high-performance servers - and it's not necessary!!!
Since I cannot distribute the extracted CString source code as it would violate the Microsoft EULA, I have done the next best thing - created a DevStudio macro that will do the extraction for you based on your licensed copy of the MFC source code files. The result is two files, a .h and .cpp file that will be placed in the ATL SRC and INCLUDE directories. You can then add these files to any ATL project and get all the benefits of the fully functional CString class.
To produce the files, download and open the MFCCStringForATL.DSM macro file. Find the following lines and modify the path specified by sDevStudioPath to match the location of your DevStudio source files.
' Replace with your equivalent path to the Dev Studio directory.
sDevStudioPath = "C:\Program Files\Microsoft Visual Studio\VC98\"
Save the MFCCStringForATL.DSM macro file if modifications were made. Next, load the macro via the Tools | Customize menu, Add-ins and Macro Files tab. Click browse and locate the MFCCStringForATL.DSM file. Select Open. Select Close to close the Customize dialog. Next, select Macro from the Tools menu to display the Macro dialog. Make sure the correct macro file is selected, then select Run. If the macro is successful, the newly generated files will be placed in the ATL Src and Include directories. (default location - C:\Program Files\Microsoft Visual Studio\VC98\ATL\)
To make sure the extracted CString methods work exactly as they do in an MFC project, I have included an MFC test application that tests the native MFC CString class and the extracted ATL version. The ATL version is tested via an ATL COM component. The MFC test application creates an instance of this component and calls a method which performs the tests and returns the results. The test cases were taken from the MSDN documentation. Believe it or not, some of the CString methods fail using the documented test cases. However, the tests fail in both versions which is the point of the test application - to prove that the CString class is successfully extracted and performs identically to the MFC version. If you build the test application and ATL component, make sure that both of the build configurations are identical (Debug/Debug, Debug Unicode/Debug Unicode, Release/Release, etc). It is important to test apples to apples. Otherwise, the test results are meaningless.
The CString class uses C++ exception handling. Unless you want to modify the extracted class, your ATL servers must have C++ exception handling enabled. It is disabled by default.