|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
deserialize and "medium trust"[...] XmlSerializer serializer = new XmlSerializer(typeof(myClassType)); StringReader reader = new StringReader(tmpstring); _data = (myClassType)serializer.Deserialize(reader); [...] works great on a web server with .net application security set on "FULL TRUST", instead on "deserialize" method I receive a "There is an error in XML document (1, 2)" Exception if the .net application security of the server is set on "MEDIUM TRUST". Because I need to deserialize an XML into a c# class from an application that runs on a shared hosting server, is there any way to avoid/bypass this error? BTW why "deserialize" can't work in a MEDIUM TRUST environment? What kind of security risk is there inside? thanks a lot!!! G XmlSerializer works fine in partial trust - the only thing i can think of
is that you don't have FileIOPermission to the C:\Windows\Temp directory - thats where XmlSerializer creates a temorary assembly... I would suggest to first try to run the app locally in MEDIUM to see if you can repro the error - and then add the temp directory to the medium trust config file for double checking...it may be a provider misconfiguration. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > The following c# code: > > [...] > XmlSerializer serializer = new XmlSerializer(typeof(myClassType)); > StringReader reader = new StringReader(tmpstring); > _data = (myClassType)serializer.Deserialize(reader); > [...] > works great on a web server with .net application security set on > "FULL TRUST", instead on "deserialize" method I receive a "There is an > error in XML document (1, 2)" Exception if the .net application > security of the server is set on "MEDIUM TRUST". > > Because I need to deserialize an XML into a c# class from an > application that runs on a shared hosting server, is there any way to > avoid/bypass this error? > > BTW why "deserialize" can't work in a MEDIUM TRUST environment? What > kind of security risk is there inside? > > thanks a lot!!! > G Sept. 23, 2006
... Yup - there are risks involved.... The problem is, if you have a file containing an object with a filepath to an assembly some other person just scheduled for you to run (and you are under a high account like SYSTEM, while it only takes a lower account to schedule it... thereby be an elevation or privilege concern).... then the object could be replaced by some hacker, with the filepath of a different and destructive assembly. This is just a single example.... but I think it is clear enough to get the point across... basically, you need to grant your code the required trust level, which also means you are putting full confidence in yourself & that assembly that it takes the proper precautions to make sure it hasn't been modified, and that people who are giving the object to you and its communication channel and such are secure.... Hope this helps! -- Show quoteHide quoteJoseph Bittman Microsoft Certified Solution Developer Microsoft Most Valuable Professional -- DPM Blog/Web Site: http://CactiDevelopers.ResDev.Net/ <delfi***@libero.it> wrote in message news:1158737864.375361.272050@i3g2000cwc.googlegroups.com... > The following c# code: > > [...] > XmlSerializer serializer = new XmlSerializer(typeof(myClassType)); > StringReader reader = new StringReader(tmpstring); > _data = (myClassType)serializer.Deserialize(reader); > [...] > > works great on a web server with .net application security set on "FULL > TRUST", instead on "deserialize" method I receive a "There is an error > in XML document (1, 2)" Exception if the .net application security of > the server is set on "MEDIUM TRUST". > > Because I need to deserialize an XML into a c# class from an > application that runs on a shared hosting server, is there any way to > avoid/bypass this error? > > BTW why "deserialize" can't work in a MEDIUM TRUST environment? What > kind of security risk is there inside? > > thanks a lot!!! > G > Have the same problem with the hoster VWDhosting.net (available for
testing asp net applications). When trying webservice the website gives an error and hangs. Found out the problem is that account Network Service has no read/write right to the c:\windows\temp folder. Is it possible to redirect (web.config ?) the temp folder to a subfolder of the website of whom you can control the read/write access ? Hi,
no thats not possible - the hoster has to fix this. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Have the same problem with the hoster VWDhosting.net (available for > testing asp net applications). > > When trying webservice the website gives an error and hangs. > Found out the problem is that account Network Service has no > read/write > right to the c:\windows\temp folder. > Is it possible to redirect (web.config ?) the temp folder to a > subfolder of the website of whom you can control the read/write access > ? > > -- > Sent via .NET Newsgroups > http://www.dotnetnewsgroups.com 
Other interesting topics
GET the real content of a .p7m file with CAPICOM
IIS 6.0 Bug? Registry Permission Attributes Active Directory User Creation Issues Remoting IPCChannel security with Service PKI in .net Program Events over remoting and security problem, related/not related, I don't know EnvironmentPermission ASN1 unexpected end of data Runtime Security Policy Question |
|||||||||||||||||||||||
