我需要担心的链接要求在完全信任的只有.EXE? [英] Do I need to worry about link-demands in a full-trust only .EXE?
问题描述
我想了解的FxCop CA2122消息(可能禁用猥琐的事情之前),我已经清楚地超越我的。NET CAS的理解。
I'm trying to understand FxCop CA2122 messages (probably before disabling the wretched things), and I have clearly overstepped my understanding of .NET CAS.
应用程序是一个.EXE,没有的标记AllowPartiallyTrustedCallers。我们从code分析CA2122警告,抱怨我们没有从调用方法本身具有LinkDemands的最低水平向上传播LinkDemands。
The application is a .EXE, not marked with AllowPartiallyTrustedCallers. We get CA2122 warnings from Code Analysis, complaining about our failure to propagate LinkDemands upwards from the lowest level of calls to methods which themselves have LinkDemands.
显然,我们可以跑来跑去把LinkDemands的来电,然后主叫方,广告无穷的来电。这似乎完全是无目的的,因为这code每次调用总是将是完全信任的,所以(AIUI)的每一个环节的需求总是会被反正满足。埃里克利珀似乎认为这是非常危险的做到这一点。
Obviously we can run around putting LinkDemands on callers, and then callers of callers, ad-infinitum. This seems entirely purposeless, as every invocation of this code is always going to be full-trust, and hence (AIUI) every link demand is always going to be met anyway. Eric Lippert seems to think it's highly dangerous to do that, too.
所以:
-
我缺少什么组件级属性说这code将只能运行在完全信任? (我想没有AllowPartiallyTrustedCallers暗示这一点,但也许不是.EXE文件)
What assembly-level attribute am I missing to say 'this code will only run at full-trust'? (I thought the absence of AllowPartiallyTrustedCallers' implied this, but perhaps not for .EXEs)
或者我应该只是关闭该CA的警告,继续前进?我也想了解他们正确之前,我禁用它们...
Or should I just turn off that CA warning and move on? I do like to understand them properly before I disable them...
更新:有人问我,我们正在使用的框架版本 - 这是2.0RTM,这是非常难以得到升级过去的这一点,因为它是一个XPe的平台上
Update: I was asked which framework version we're using - it's 2.0RTM, and it's extremely difficult to get upgraded past that point because it's on an XPe platform.
推荐答案
您的基本假设,大会将永远只能运行一个完全可信的可执行文件是错误的。还有什么能阻止人谁可以得到他们的手在你的组件使用它作为了一个恶意软件引用的库程序集。如果已经更改机器的CAS策略授予完全信任你的集合,不管它是如何部署的,那么恶意软件就可能能够使用程序集来执行的,它本来不会有足够的权限操作。
Your underlying assumption that the assembly will only ever run as a fully trusted executable is faulty. There's nothing stopping someone who can get their hands on your assembly from using it as a referenced library assembly in a piece of malware. If you've altered a machine's CAS policy to grant full trust to your assembly regardless of how it's deployed, then the malware would potentially be able to use your assembly to execute operations for which it would otherwise not have had adequate permissions.
这样做的结果是,你真的应该做的代表呼吁code东西prevent满足链接的需求,无论您打算部署方案。既然你自己定位完全信任的情况下,这实际上将是pretty的方便。 <击>然而,确切的方法在很大程度上取决于你的目标的.NET Framework的版本,所以请你张贴的细节?
The upshot of this is that you really ought to be doing something to prevent satisfying link demands on the behalf of calling code, regardless of your intended deployment scenario. Given that you're targeting a full trust scenario yourself, this is actually going to be pretty easy. However, the exact approach depends largely on which version of the .NET Framework you're targeting, so could you please post that detail?
有关.NET 2.0,最简单的办法来解决这个问题将是要么SecurityTransparentAttribute或性SecurityCriticalAttribute适用于您的程序集。这两个属性将导致code在汇编成为安全透明默认情况下,这意味着它不能做这样的事情满足链接要求代表其调用者。如果有你的code部位需要做的是不允许的安全透明code的事情,你应该使用性SecurityCriticalAttribute代替SecurityTransparentAttribute在装配水平,因为这可以让你明确地宣传种类和/或成员安全临界,如果他们需要它。 (对于一些详细信息,请参阅<一href="http://blogs.msdn.com/b/shawnfa/archive/2005/08/31/when-the-opposite-of-transparent-isn-t-opaque.aspx" rel="nofollow">http://blogs.msdn.com/b/shawnfa/archive/2005/08/31/when-the-opposite-of-transparent-isn-t-opaque.aspx.)
For .NET 2.0, the simplest approach to addressing the issue would be to apply either SecurityTransparentAttribute or SecurityCriticalAttribute to your assembly. Both attributes will result in the code in your assembly becoming security-transparent by default, which means that it cannot do things like satisfy link demands on behalf of its callers. If there are parts of your code that need to do things that are not allowed to security-transparent code, you should use the SecurityCriticalAttribute instead of SecurityTransparentAttribute at the assembly level since this will allow you to explicitly promote types and/or members to security-criticality if they need it. (For a bit more detail, see http://blogs.msdn.com/b/shawnfa/archive/2005/08/31/when-the-opposite-of-transparent-isn-t-opaque.aspx.)
这篇关于我需要担心的链接要求在完全信任的只有.EXE?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
