views:

332

answers:

1

Hi,

I have this small app that loads plugin type components that other users can freely upload to the server. But I don't want the users to be able to access other users files. I need to set the access of each plugin component to a restricted access.

I tried to set the access inside the plugin classes base class but even then the loaded plugin classes seem to have full file access.

I can't set the permission with a attribute because the path changes depending on who loads the page.

Here is a code snippest:

public abstract class PluginBase<T>
{
public PluginBase
{
PermissionSet ps = new PermissionSet(System.Security.Permissions.PermissionState.None);
            ps.AddPermission(new System.Security.Permissions.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess.PathDiscovery | System.Security.Permissions.FileIOPermissionAccess.Read, HttpContext.Current.Server.MapPath("/app_data/www_somesite_com")));
            ps.PermitOnly();
}
}
public class SomePlugin : PluginBase<SomePlugin>
{
public SomePlugin
{
File.WriteAllText("c:\test.txt", "This should not be possible, but it is.. why?");
}
}

Many thanks in advance!

A: 

The solution is actually quite simple, as you can implement your own attribute (which allows you to resolve the allowed path programmatically instead of having to use a constant for the decorator attribute).

using System.Security;
using System.Security.Permissions;

public sealed class CustomFileIOPermission : CodeAccessSecurityAttribute
{
 public CustomFileIOPermission(SecurityAction action)
  : base(action)
 {
 }

 public override IPermission CreatePermission()
 {
  // You can use your `HttpContext` or similar at this point to resolve the path
  string allowedPath = @"D:\test";

  return new FileIOPermission(FileIOPermissionAccess.Write, allowedPath);
 }
}

The class above will enable use of [CustomFileIOPermission(SecurityAction.PermitOnly)] and will effectively protect files elsewhere.

troethom
That almost does everything I need. The problem is that I'm creating software where users can freely upload an usercontrol and I need to check that they have actually implemented that attribute. For some reason (probably by design?) I cannot check if that security attribute is actually implemented because it does not show up in the list that GetCustomAttributes method returns. Anyone know how to check if that attribute is implemented.
Gabfine
I think you should create a new question for this issue. I think it is important to separate into smaller tasks to keep the questions interesting to others - instead of providing exact solutions to very unique problems, and I believe it will give you more answers too.
troethom
You are right that that should really belong to a another question. I added a new question that can be found here: http://stackoverflow.com/questions/1439900/how-to-check-if-c-class-has-security-attribute-usedThank you for the first answer :)
Gabfine