并反射带来什么风险? (中等信任) [英] What risk does Reflection pose? (Medium Trust)
问题描述
由于缺乏在中信任主机环境的反思,似乎会给很多问题的许多流行的Web应用程序。
The lack of reflection in Medium Trust hosting environments seems to cause a lot of problems for many popular web applications.
- 为什么性ReflectionPermission 默认情况下,与中信任禁用?
- 在共享宿主环境不构成反思什么风险?
- Why is ReflectionPermission disabled by default with Medium Trust?
- What risk does reflection pose in a shared hosting environment?
有关随机参考,请参阅 MSDN:如何使用中等信任在ASP.NET 2.0中
For random reference, see MSDN: How to use Medium Trust in ASP.NET 2.0
推荐答案
反射允许恶意code,检查各类秘密:没有那么多的知识产权(虽然肯定的,那太),但应该是私人数据和安全,就像连接字符串,密码,银行账户数据等。
Reflection allows malicious code to inspect all kinds of secrets: not so much intellectual property (though sure, that too), but data that should be private and secure, like connection strings, passwords, bank account data, etc..
当然,许多程序通过偶数更容易妥协向量公开此数据作为理所当然的事,但我们没有理由来提高应用程序的攻击面。
Of course, many programs expose this data as a matter of course through even more-easily compromised vectors, but there's no reason to increase an application's attack surface.
的编辑从注释带来的一些谈话了:的
这可能是真实的,真正的风险是不受限制的文件系统的访问,这是什么使反射到一个真正的危险。如果一个糟糕的演员能够得到一个组件(或者一些被编译成一个程序集)复制到您的虚拟目录,你就麻烦了,如果他们有思考的权限。 (当然,如果出现这种情况,还有其他潜在的问题为好,但不应该低估这个特殊的漏洞。)
It's probably true that the real risk is unrestricted file system access, which is what turns reflection into a real danger. If a bad actor can get an assembly (or something that gets compiled into an assembly) into your virtual directory, you're in trouble if they have reflection permission. (Of course if this happens, there are other potential problems as well, but that shouldn't discount this particular vulnerability.)
在一个共享的托管环境,这只是很难prevent,但它肯定是不可能的。也许,这是值得交叉张贴这个问题 ServerFault 来看看有什么好乡亲有不得不说的。
In a shared hosting environment that's just harder to prevent, though it certainly isn't impossible. Perhaps it's worth cross-posting this question to ServerFault to see what the good folks there have to say.
这篇关于并反射带来什么风险? (中等信任)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
