Setting FileIOPermissions in ASP.NET incode.

Question

Hi,

I have this small app that loads plugin type components that other users can freely upload to the server. But I don't want the users to be able to access other users files. I need to set the access of each plugin component to a restricted access.

I tried to set the access inside the plugin classes base class but even then the loaded plugin classes seem to have full file access.

I can't set the permission with a attribute because the path changes depending on who loads the page.

Here is a code snippest:

public abstract class PluginBase<T>
{
public PluginBase
{
PermissionSet ps = new PermissionSet(System.Security.Permissions.PermissionState.None);
            ps.AddPermission(new System.Security.Permissions.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess.PathDiscovery | System.Security.Permissions.FileIOPermissionAccess.Read, HttpContext.Current.Server.MapPath("/app_data/www_somesite_com")));
            ps.PermitOnly();
}
}
public class SomePlugin : PluginBase<SomePlugin>
{
public SomePlugin
{
File.WriteAllText("c:\test.txt", "This should not be possible, but it is.. why?");
}
}

Many thanks in advance!

Answer 1

The solution is actually quite simple, as you can implement your own attribute (which allows you to resolve the allowed path programmatically instead of having to use a constant for the decorator attribute).

using System.Security;
using System.Security.Permissions;

public sealed class CustomFileIOPermission : CodeAccessSecurityAttribute
{
 public CustomFileIOPermission(SecurityAction action)
  : base(action)
 {
 }

 public override IPermission CreatePermission()
 {
  // You can use your `HttpContext` or similar at this point to resolve the path
  string allowedPath = @"D:\test";

  return new FileIOPermission(FileIOPermissionAccess.Write, allowedPath);
 }
}

The class above will enable use of [CustomFileIOPermission(SecurityAction.PermitOnly)] and will effectively protect files elsewhere.