Application Security Testing: An Integral Part of DevOps
Each .aspx page is rendered by one of two possible parsers. When a request is received for an .aspx page, the SharePoint isapi filter determines who will handle the rendering of the page—Asp.net orthe SharePoint SafeMode parser. The first parser, Asp.net, requires the least amount of introduction. The second parser is unique to Windows SharePoint Services.
The intent of this discussion is to cover the differences between the two parsers. To be very clear, this discussion applies to pages which come from the main application root of a SharePoint virtual server. Pages which originate from either the "_layouts" or "_vti_bin" virtual directories can be excluded from the discussion.
As everyone knows, all pages within SharePoint are stored in the database. This effectively means that for each document, you will find a row in the docs table for that document. The actual file is stored in the Content column. This is true for all files. However, there is one exception - some .aspx pages don't actually have their content stored in the database. Instead, these pages reference files which exist on the server's file system. These pages are considered ghosted pages.
From a technical standpoint, ghosted pages are those rows in the docs table which have null values for the Content column and a non-null value for the SetupPath column which points to a file on the file system itself. The referenced file essentially serves as a template and content source.
What pages are ghosted? For example, the default home page is a ghosted page. Any web part pages created the via New Web Part Page user interface also ghosted.
As you can see, I've described ghosted pages as the exception to the rule. What does it mean if a document doesn't reference a template on the file system? Or, more to the point, the Content column actually contains data? These pages are known as unghosted .aspx pages and they are routed through the SafeMode parser.
What does is the main difference between the SafeMode parser and Asp.net? Code compilation.
As everyone knows, Asp.net will parse a page on first render and compile it into an assembly. The SafeMode parser does NOT compile pages. It is designed to interpretatively parse a page and create the object structure of the page. In the event inline server-side code is detected, the SafeMode parser will not allow the page to render. Additionally, the only objects within the page (i.e. controls marked as runat=server) which can be instantiated are those items found in the SafeControls list.
Can a page transition from a ghosted state to unghosted? Yes.
Ghosted pages become unghosted once a file has been modified. If a page is updated using FrontPage 2003, web folders, or the modification of custom document library fields, the Content column of the given document row is populated with the page contents. All uploaded .aspx files are automatically unghosted.
Are there other differences between SafeMode and Asp.net? Yes.
Although the SafeMode parser was designed to be serve as replacement for the Asp.net parser, it does not offer identical functionality. The key differences between the two parsers are listed below:
- SafeMode does not offer AspCompat functionality.
- SafeMode does not compile; therefore, all compilation directives are ignored.
- Session State exists; however, in SafeMode once you turn it on, all unghosted pages are forced to participate in Session State. Unghosted pages do NOT have the option to opt out of using Session State.
(Update 9/22: Read more about about the implications of turning on SessionState).
Why are there two types of rendering engines? Security and scalability.
The SafeMode parser ensures unghosted pages are not allowed to run code. This security feature prevents a user from injecting code into page which may maliciously, or unintentionally, bring down a server, snoop data, etc. Consider the permission levels associated with updating a page vs. the number of users within a WSS server—if you're the admin, you would probably be extremely wary of giving anyone the "Add and Customize Pages" right knowing that they would be able to freely execute server-side code if the SafeMode parser didn't exist. With our current behavior, once a page is transitioned from a ghosted to unghosted state, the admin knows that page cannot influence the behavior of the server.
Additionally, without the SafeMode parser, all pages would have to be routed through Asp.net which would mean all pages would be compiled and their associated assembly loaded into memory. Imagine a site with thousands of operational pages... the memory requirement would be huge. The current design limits page compilation to a very small number of pages relative to the actual number of pages within a WSS-extended virtual server.
How can you tell if a page is ghosted or unghosted? Quite simply—you can't.
There is no way to determine the state of your page. Unfortunately, this functionality simply didn't make its way into the product. In an ideal world, you would never need to know if a page is ghosted or not. However, we don't live in an ideal world.
Is it possible to "reset" an unghosted page to its original ghosted state? No.
This ties into the previous answer. Straight out of the box, there is no way to return a page to its original ghosted state.
Help... I need to reset a page!! Surely there are options?!
Check out the GhostHunter Web Part which is included in the Web Part Toolkit. The GhostHunter Web Part was specifically designed to address the limitations of WSS with respect to ghosted and unghosted pages.
Happy ghost hunting!! :)
This article was reprinted with the author's permission.