This is a migrated thread and some comments may be shown as answers.

Doesn't decompile correctly

1 Answer 30 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Matt
Top achievements
Rank 1
Matt asked on 26 Dec 2011, 04:37 PM

I was decompiling the System.Web.Security.SqlMembershipProvider and found a descrepency.  I was specifically looking at the GetPasswordWithFormat method which JustDecompile shows like this:

private void GetPasswordWithFormat(string username, bool updateLastLoginActivityDate, out int status, out string password, out int passwordFormat, out string passwordSalt, out int failedPasswordAttemptCount, out int failedPasswordAnswerAttemptCount, out bool isApproved, out DateTime lastLoginDate, out DateTime lastActivityDate)
{
    try
    {
        SqlConnectionHolder connection = null;
        SqlDataReader sqlDataReader = null;
        SqlParameter sqlParameter = null;
        try
        {
            connection = SqlConnectionHelper.GetConnection(this._sqlConnectionString, true);
            this.CheckSchemaVersion(connection.Connection);
            SqlCommand sqlCommand = new SqlCommand("dbo.aspnet_Membership_GetPasswordWithFormat", connection.Connection);
            sqlCommand.CommandTimeout = this.CommandTimeout;
            sqlCommand.CommandType = CommandType.StoredProcedure;
            sqlCommand.Parameters.Add(this.CreateInputParam("@ApplicationName", SqlDbType.NVarChar, base.ApplicationName));
            sqlCommand.Parameters.Add(this.CreateInputParam("@UserName", SqlDbType.NVarChar, username));
            sqlCommand.Parameters.Add(this.CreateInputParam("@UpdateLastLoginActivityDate", SqlDbType.Bit, updateLastLoginActivityDate));
            sqlCommand.Parameters.Add(this.CreateInputParam("@CurrentTimeUtc", SqlDbType.DateTime, DateTime.UtcNow));
            sqlParameter = new SqlParameter("@ReturnValue", SqlDbType.Int);
            sqlParameter.Direction = ParameterDirection.ReturnValue;
            sqlCommand.Parameters.Add(sqlParameter);
            sqlDataReader = sqlCommand.ExecuteReader(CommandBehavior.SingleRow);
            status = -1;
            if (sqlDataReader.Read())
            {
                passwordFormat = sqlDataReader.GetInt32(1);
                failedPasswordAttemptCount = sqlDataReader.GetInt32(3);
                failedPasswordAnswerAttemptCount = sqlDataReader.GetInt32(4);
                isApproved = sqlDataReader.GetBoolean(5);
                lastLoginDate = sqlDataReader.GetDateTime(6);
                lastActivityDate = sqlDataReader.GetDateTime(7);
            }
            else
            {
                passwordFormat = 0;
                failedPasswordAttemptCount = 0;
                failedPasswordAnswerAttemptCount = 0;
                isApproved = 0;
                lastLoginDate = DateTime.UtcNow;
                lastActivityDate = DateTime.UtcNow;
            }
        }
        finally
        {
            if (sqlDataReader != null)
            {
                sqlDataReader.Close();
                sqlDataReader = null;
                status = (sqlParameter.Value ? (int)sqlParameter.Value : -1);
            }
            if (connection != null)
            {
                connection.Close();
                connection = null;
            }
        }
    }
    catch
    {
        throw;
    }
}

I noticed that the output parameter "password" was never being set and this didn't make any sense so I opened the same thing in .Net Reflector and found the following:

private void GetPasswordWithFormat(string username, bool updateLastLoginActivityDate, out int status, out string password, out int passwordFormat, out string passwordSalt, out int failedPasswordAttemptCount, out int failedPasswordAnswerAttemptCount, out bool isApproved, out DateTime lastLoginDate, out DateTime lastActivityDate)
{
    try
    {
        SqlConnectionHolder connection = null;
        SqlDataReader reader = null;
        SqlParameter parameter = null;
        try
        {
            connection = SqlConnectionHelper.GetConnection(this._sqlConnectionString, true);
            this.CheckSchemaVersion(connection.Connection);
            SqlCommand command = new SqlCommand("dbo.aspnet_Membership_GetPasswordWithFormat", connection.Connection) {
                CommandTimeout = this.CommandTimeout,
                CommandType = CommandType.StoredProcedure
            };
            command.Parameters.Add(this.CreateInputParam("@ApplicationName", SqlDbType.NVarChar, this.ApplicationName));
            command.Parameters.Add(this.CreateInputParam("@UserName", SqlDbType.NVarChar, username));
            command.Parameters.Add(this.CreateInputParam("@UpdateLastLoginActivityDate", SqlDbType.Bit, updateLastLoginActivityDate));
            command.Parameters.Add(this.CreateInputParam("@CurrentTimeUtc", SqlDbType.DateTime, DateTime.UtcNow));
            parameter = new SqlParameter("@ReturnValue", SqlDbType.Int) {
                Direction = ParameterDirection.ReturnValue
            };
            command.Parameters.Add(parameter);
            reader = command.ExecuteReader(CommandBehavior.SingleRow);
            status = -1;
            if (reader.Read())
            {
                password = reader.GetString(0);
                passwordFormat = reader.GetInt32(1);
                passwordSalt = reader.GetString(2);
                failedPasswordAttemptCount = reader.GetInt32(3);
                failedPasswordAnswerAttemptCount = reader.GetInt32(4);
                isApproved = reader.GetBoolean(5);
                lastLoginDate = reader.GetDateTime(6);
                lastActivityDate = reader.GetDateTime(7);
            }
            else
            {
                password = null;
                passwordFormat = 0;
                passwordSalt = null;
                failedPasswordAttemptCount = 0;
                failedPasswordAnswerAttemptCount = 0;
                isApproved = false;
                lastLoginDate = DateTime.UtcNow;
                lastActivityDate = DateTime.UtcNow;
            }
        }
        finally
        {
            if (reader != null)
            {
                reader.Close();
                reader = null;
                status = (parameter.Value != null) ? ((int) parameter.Value) : -1;
            }
            if (connection != null)
            {
                connection.Close();
                connection = null;
            }
        }
    }
    catch
    {
        throw;
    }
}

Notice the fact that the following line doesn't even appear in the JustDecompile version:

password = reader.GetString(0);


This is a major problem and hurts my ability to trust the output.  Please fix this ASAP.

Thank you,
Matt

 

1 Answer, 1 is accepted

Sort by
0
Nikolay G Rusev
Telerik team
answered on 02 Jan 2012, 09:46 AM
Hi Matt,

 Thank you for pointing out this problem and sorry for the inconvenience. We're definitely going to take care of it. So, please, stay tuned and update regularly.

Kind regards,
Nikolay G Rusev
the Telerik team

Explore the entire Telerik portfolio by downloading the Ultimate Collection trial package. Get it now >>

Tags
General Discussions
Asked by
Matt
Top achievements
Rank 1
Answers by
Nikolay G Rusev
Telerik team
Share this question
or