Fiddler Extension - Updates
96 views
Skip to first unread message
Chad Sowald
Aug 28, 2011, 3:40:14 AM8/28/11
to Fiddler
Hi Eric,
I asked last year -
http://groups.google.com/group/httpfiddler/browse_thread/thread/de955cbd604cd14b/048a14f841cd30ad
- about an extension updating feature. I just wanted to know if there
were any updates since your last comment in that thread?
I started coding an extension to do extension updating and I have
a couple of questions:
1) How can I add items to the Fiddler menu? Preferably, above/below
the "Check for Updates" item under Help. I saw this page -
http://www.fiddler2.com/Fiddler/dev/ScriptSamples.asp - but it only
has FiddlerScript samples and I can't figure how to duplicate them in
C#.
2) I would need unzip capability. Should/Can I use the DotNetZip
library? I also saw you have the Xceed.Zip.dll library. Is that
available to be used?
Thanks,
~Chad
I asked last year -
http://groups.google.com/group/httpfiddler/browse_thread/thread/de955cbd604cd14b/048a14f841cd30ad
- about an extension updating feature. I just wanted to know if there
were any updates since your last comment in that thread?
I started coding an extension to do extension updating and I have
a couple of questions:
1) How can I add items to the Fiddler menu? Preferably, above/below
the "Check for Updates" item under Help. I saw this page -
http://www.fiddler2.com/Fiddler/dev/ScriptSamples.asp - but it only
has FiddlerScript samples and I can't figure how to duplicate them in
C#.
2) I would need unzip capability. Should/Can I use the DotNetZip
library? I also saw you have the Xceed.Zip.dll library. Is that
available to be used?
Thanks,
~Chad
EricLaw
Aug 28, 2011, 12:16:55 PM8/28/11
to Fiddler
Hi, Chad!
Nah, I haven't made any changes for extension updates, although you
may have recently noticed that Fiddler now includes an "auto-upgrade"
mechanism to streamline the installation of new builds of Fiddler
itself.
1. There's no "supported" mechanism to extend any menu except the
Rules and Tools menus (which are extended via script attributes).
However, the Fiddler MainMenu has "public" accessibility and there are
quite a few extensions that poke into it directly. It's not a great
system (e.g. when I add menus and shift things around, non-robust
extensions will break) but it's possible to code defensively and have
a fairly robust add-on menu.
2. Using DotNetZip will certainly work, although as you know, it's not
a tiny assembly. Fiddler itself uses the Xceed.Zip library but the
license agreement for Xceed is a little ambiguous as to whether or not
its use in the manner you'd want to use it is really valid without you
paying for a license. That's a problem the DotNetZip code won't suffer
from.
However... can I ask what you plan to do with this? The problem with
ZIP files is that they can't be signed, and I'm guessing that you want
to use this mechanism to distribute the updates themselves. By what
mechanism will you prevent a bad guy "on the wire" from replacing the
valid code with malicious code that your updater would then install?
Fiddler itself solves this by using WinVerifyTrust to verify the
signatures on the files it downloads and installs. You might go a
similar route, using either signed executables or CAB files, which are
similar to ZIP files except that they have the ability to be signed.
Your client code can then extract the files from the signed cab using
the CABARC tool that ships with Windows.
> I asked last year -http://groups.google.com/group/httpfiddler/browse_thread/thread/de955...
Nah, I haven't made any changes for extension updates, although you
may have recently noticed that Fiddler now includes an "auto-upgrade"
mechanism to streamline the installation of new builds of Fiddler
itself.
1. There's no "supported" mechanism to extend any menu except the
Rules and Tools menus (which are extended via script attributes).
However, the Fiddler MainMenu has "public" accessibility and there are
quite a few extensions that poke into it directly. It's not a great
system (e.g. when I add menus and shift things around, non-robust
extensions will break) but it's possible to code defensively and have
a fairly robust add-on menu.
2. Using DotNetZip will certainly work, although as you know, it's not
a tiny assembly. Fiddler itself uses the Xceed.Zip library but the
license agreement for Xceed is a little ambiguous as to whether or not
its use in the manner you'd want to use it is really valid without you
paying for a license. That's a problem the DotNetZip code won't suffer
from.
However... can I ask what you plan to do with this? The problem with
ZIP files is that they can't be signed, and I'm guessing that you want
to use this mechanism to distribute the updates themselves. By what
mechanism will you prevent a bad guy "on the wire" from replacing the
valid code with malicious code that your updater would then install?
Fiddler itself solves this by using WinVerifyTrust to verify the
signatures on the files it downloads and installs. You might go a
similar route, using either signed executables or CAB files, which are
similar to ZIP files except that they have the ability to be signed.
Your client code can then extract the files from the signed cab using
the CABARC tool that ships with Windows.
> I asked last year -http://groups.google.com/group/httpfiddler/browse_thread/thread/de955...
> - about an extension updating feature. I just wanted to know if there
> were any updates since your last comment in that thread?
>
> I started coding an extension to do extension updating and I have
> a couple of questions:
>
> 1) How can I add items to the Fiddler menu? Preferably, above/below
> the "Check for Updates" item under Help. I saw this page -http://www.fiddler2.com/Fiddler/dev/ScriptSamples.asp- but it only
> were any updates since your last comment in that thread?
>
> I started coding an extension to do extension updating and I have
> a couple of questions:
>
> 1) How can I add items to the Fiddler menu? Preferably, above/below
Chad Sowald
Aug 31, 2011, 12:50:21 AM8/31/11
to Fiddler
Hi Eric! Thanks for the thorough response.
1) Okay, I've got my Help menu item added after you "Check for
Updates...". I'll need to decide on some backup place to put the
update action in case you change the menus as you pointed out. Also,
what's your feeling on me changing your "Check for Updates..." to
"Check for Fiddler Updates..." so that it's more distinguishable from
my "Check for Extension Updates..."?
2) So, I'm stuck a on this from an architectural perspective. Just to
clarify the extension's purpose, I would basically cycle through all
the loaded IFiddlerExtensions (ignoring the default ones), then look
for some public static methods (using reflection) on those
IFiddlerExtension classes*. These public static methods would need to
signature match what I'm looking for. Then, each respective extension
developer would need to add these methods to their extension. These
methods would tell my extension updater things like the URL to
download an update from, whether an update is needed, etc...The
biggest problem with this approach, of course, is that it's circular:
you would need to update your extensions so that they have the hooks
for the extension updater. The way around this is for me to go
through your web page of extensions and try to build the hooks for
those (and let the extensions override them when and if they do update
their extensions). The other option is to just support my own
extension and then hope that other extension authors update their
extensions to hook into the extension updater.
3) Okay, so back to my question about unzipping. That is my other
architectural question. Right now, I believe that most extensions are
distributed as either .exe, .msi or .zip. I personally use .zip for
my extension and was just, naively, imagining unzipping a file to
where the extension already lives or just running their .exe/.msi and
waiting for that to finish. The other option is to let each extension
do the actual update. I'm trying to avoid making the extension
developer do that much. But, I would provide post install hooks. I
will look into this WinTrustVerify. Thanks for explaining how that
would work.
* This way, other extensions wouldn't have to build against some
interface I create.
> > the "Check for Updates" item under Help. I saw this page -http://www.fiddler2.com/Fiddler/dev/ScriptSamples.asp-but it only
1) Okay, I've got my Help menu item added after you "Check for
Updates...". I'll need to decide on some backup place to put the
update action in case you change the menus as you pointed out. Also,
what's your feeling on me changing your "Check for Updates..." to
"Check for Fiddler Updates..." so that it's more distinguishable from
my "Check for Extension Updates..."?
2) So, I'm stuck a on this from an architectural perspective. Just to
clarify the extension's purpose, I would basically cycle through all
the loaded IFiddlerExtensions (ignoring the default ones), then look
for some public static methods (using reflection) on those
IFiddlerExtension classes*. These public static methods would need to
signature match what I'm looking for. Then, each respective extension
developer would need to add these methods to their extension. These
methods would tell my extension updater things like the URL to
download an update from, whether an update is needed, etc...The
biggest problem with this approach, of course, is that it's circular:
you would need to update your extensions so that they have the hooks
for the extension updater. The way around this is for me to go
through your web page of extensions and try to build the hooks for
those (and let the extensions override them when and if they do update
their extensions). The other option is to just support my own
extension and then hope that other extension authors update their
extensions to hook into the extension updater.
3) Okay, so back to my question about unzipping. That is my other
architectural question. Right now, I believe that most extensions are
distributed as either .exe, .msi or .zip. I personally use .zip for
my extension and was just, naively, imagining unzipping a file to
where the extension already lives or just running their .exe/.msi and
waiting for that to finish. The other option is to let each extension
do the actual update. I'm trying to avoid making the extension
developer do that much. But, I would provide post install hooks. I
will look into this WinTrustVerify. Thanks for explaining how that
would work.
* This way, other extensions wouldn't have to build against some
interface I create.
Chad Sowald
Sep 7, 2011, 9:16:52 PM9/7/11
to Fiddler
Well, the extension updater is coming along nicely and there's still
some work to do obviously. Here's a demo of what it looks like now:
http://www.chadsowald.com/FiddlerExtensionUpdaterDemo.avi
I'm still concerned about the code-signing aspect of it. I assume I'd
have to buy a certificate myself (not only for the extension updater
extension, but also for my request to code extension.) I'm not so
keen on spending the yearly money on that even if it's $100. Is there
another way?
My other roadblock is that most of the non-official extensions are
hosted on CodePlex and I don't think I can currently get a single link
for each project that just downloads the newest version, which is what
my extension currently requires.
> > > the "Check for Updates" item under Help. I saw this page -http://www.fiddler2.com/Fiddler/dev/ScriptSamples.asp-butit only
some work to do obviously. Here's a demo of what it looks like now:
http://www.chadsowald.com/FiddlerExtensionUpdaterDemo.avi
I'm still concerned about the code-signing aspect of it. I assume I'd
have to buy a certificate myself (not only for the extension updater
extension, but also for my request to code extension.) I'm not so
keen on spending the yearly money on that even if it's $100. Is there
another way?
My other roadblock is that most of the non-official extensions are
hosted on CodePlex and I don't think I can currently get a single link
for each project that just downloads the newest version, which is what
my extension currently requires.
Reply all
Reply to author
Forward
0 new messages