Re: dynamic reflection from xml file security

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

>If the assembly is comming
> from an untrusted source, I suggest you create a code group and not giving
> the assembly full permission for executing.
The only assemblies would be framework assemblies

> What do you mean by executing a system command?
I mean is there any class in the .net framework that by ONLY instantiating
it and optionally setting some of its properties would could cause a
security risk or other ill effects?

See, i am allowing server controls to be instantiated by supplying its name
and assembly name for the sole purpose of dynamically putting it on a web
page as well as setting properties of that control thru the xml. Methods of
the control are not envoked, on thing supplied to option to set properties
of this control.

I want to make sure i don't have a security risk in my xml file that could
get hijacked on the server and be manipulated in some way to do harm or
other issues to a production box.

thanks

"Kevin Yu [MSFT]" <v-kevy@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:UZynWGyFGHA.224@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi TS,
>
> What do you mean by executing a system command? If the assembly is comming
> from an untrusted source, I suggest you create a code group and not giving
> the assembly full permission for executing.
>
> Kevin Yu
> =======
> "This posting is provided "AS IS" with no warranties, and confers no
> rights."
>


.

Relevant Pages

  • Re: security/strong name/zones clarification needed
    ... control, you may have to override them and do the assert there. ... Does this zone have permission to use custom ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)
  • Re: Security issue running unmanaged code in a win form ctrl hosted in
    ... go to mscorcfg.msc - there you can inspect the policy for the machine - the intranet/internet permission set don't include SecurityPermission/UnmanagedCode ... maybe you should create a custom code group for your control - using a StrongNameMembershipCondition, ... at System.Windows.Forms.AxHost..ctor(String clsid, Int32 flags) ... permission option for assemblies persent in .NET) ...
    (microsoft.public.dotnet.security)
  • Re: Security issue running unmanaged code in a win form ctrl hoste
    ... the permissions for the windows from control are set to ... permission option for assemblies persent in .NET) ... intranet/internet permission set don't include SecurityPermission/UnmanagedCode ... maybe you should create a custom code group for your control - using a StrongNameMembershipCondition, ...
    (microsoft.public.dotnet.security)
  • Re: How to test if my code have "FullTrust" permission?
    ... > I have a winform control embeded in IE web page and in this control I have ... Unless your code must call into assemblies that do not permit partially ... running with full trust is ... >> given permission is granted to the entire call stack. ...
    (microsoft.public.dotnet.security)
  • Re: How to test if my code have "FullTrust" permission?
    ... I have a winform control embeded in IE web page and in this control I have ... I can ask every client to run a exe locally to setup all the permissions ... > given permission is granted to the entire call stack. ... >> assemblies are checked. ...
    (microsoft.public.dotnet.security)