i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created controls.
How i should go about validating the assemblies, classes, & properties
declared in the xml file?
Thanks
9  1592 
TS,
Can you be more specific with what you mean by validating? How are
these things declared in the XML file?
If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either, way,
you should get an error if the code is not valid.
Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl... i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created controls.
How i should go about validating the assemblies, classes, & properties
declared in the xml file?
Thanks
controlAssemblyTypeName="XXX.XXXXX.Web"
controlTypeName="XXX.XXXXX.Web.Controls.StandardCr iteria"
And then there are xml sub elements listing all the properties to set on the
standard criteria class
I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName:
private Assembly GetAssembly(string assemblyTypeName){
foreach(Assembly assembly in AppDomain.CurrentDomain.GetAssemblies()){
if(assembly.GetName().Name == assemblyTypeName)
return assembly;
}
return null;
}
This could let them find a System assembly
Later to create the class instance i do the following:
// Use reflection to create control
control = (Control) assembly.CreateInstance(controlTypeName);
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:O7**************@TK2MSFTNGP14.phx.gbl... TS,
Can you be more specific with what you mean by validating? How are
these things declared in the XML file?
If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.
Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.
How i should go about validating the assemblies, classes, & properties
declared in the xml file?
Thanks
TS,
Ok, I kind of understand what you are doing now.
In order to load the assembly, you don't have to check the assemblies in
the current domain. Rather, you should just call one of the Load methods in
the Assembly class. If the assembly is loaded already, then it will return
that. If not, it will load the assembly.
To get the type, call the GetType method on the Assembly instance that
you loaded.
Then, you call CreateInstance on the Activator class to create the
instance.
From there, you can call GetProperty on the Type to get the property,
and then call the SetValue method on the PropertyInfo returned from the call
to GetProperty to set the value (passing in your instance returned from
CreateInstance).
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"TS" <ma**********@nospam.nospam> wrote in message
news:e5****************@TK2MSFTNGP11.phx.gbl... controlAssemblyTypeName="XXX.XXXXX.Web"
controlTypeName="XXX.XXXXX.Web.Controls.StandardCr iteria"
And then there are xml sub elements listing all the properties to set on
the standard criteria class
I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName:
private Assembly GetAssembly(string assemblyTypeName){
foreach(Assembly assembly in AppDomain.CurrentDomain.GetAssemblies()){
if(assembly.GetName().Name == assemblyTypeName)
return assembly;
}
return null;
}
This could let them find a System assembly
Later to create the class instance i do the following:
// Use reflection to create control
control = (Control) assembly.CreateInstance(controlTypeName);
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote
in message news:O7**************@TK2MSFTNGP14.phx.gbl... TS,
Can you be more specific with what you mean by validating? How are
these things declared in the XML file?
If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.
Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.
How i should go about validating the assemblies, classes, & properties
declared in the xml file?
Thanks
Ok, i have it working now, but your way is probably better...but what about
validating the assembly and class entered in the xml file...in case the xml
file was hijacked and they maybe used a system assembly and tried to execute
system commands, etc. How do i lock down this type of interface?
thanks
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:eN**************@TK2MSFTNGP10.phx.gbl... TS,
Ok, I kind of understand what you are doing now.
In order to load the assembly, you don't have to check the assemblies
in the current domain. Rather, you should just call one of the Load
methods in the Assembly class. If the assembly is loaded already, then it
will return that. If not, it will load the assembly.
To get the type, call the GetType method on the Assembly instance that
you loaded.
Then, you call CreateInstance on the Activator class to create the
instance.
From there, you can call GetProperty on the Type to get the property,
and then call the SetValue method on the PropertyInfo returned from the
call to GetProperty to set the value (passing in your instance returned
from CreateInstance).
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"TS" <ma**********@nospam.nospam> wrote in message
news:e5****************@TK2MSFTNGP11.phx.gbl... controlAssemblyTypeName="XXX.XXXXX.Web"
controlTypeName="XXX.XXXXX.Web.Controls.StandardCr iteria"
And then there are xml sub elements listing all the properties to set on
the standard criteria class
I am using the following method to find the assembly based on the name
declared in xml file and using it to instantiate the class declared in
controlTypeName:
private Assembly GetAssembly(string assemblyTypeName){
foreach(Assembly assembly in AppDomain.CurrentDomain.GetAssemblies()){
if(assembly.GetName().Name == assemblyTypeName)
return assembly;
}
return null;
}
This could let them find a System assembly
Later to create the class instance i do the following:
// Use reflection to create control
control = (Control) assembly.CreateInstance(controlTypeName);
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote
in message news:O7**************@TK2MSFTNGP14.phx.gbl... TS,
Can you be more specific with what you mean by validating? How are
these things declared in the XML file?
If you are creating an assembly, then you are using the reflection
api's, or you are generating C# code and compiling on the fly. Either,
way, you should get an error if the code is not valid.
Can you provide more information?
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"TS" <ma**********@nospam.nospam> wrote in message
news:e4**************@TK2MSFTNGP11.phx.gbl...
i have code that creates assemblies and classes from the assemlby and
methods from the classes to set properties of dynamically created
controls.
How i should go about validating the assemblies, classes, & properties
declared in the xml file?
Thanks
Hi TS,
What do you mean by executing a system command? If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
>If the assembly is comming from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.
The only assemblies would be framework assemblies
What do you mean by executing a system command?
I mean is there any class in the .net framework that by ONLY instantiating
it and optionally setting some of its properties would could cause a
security risk or other ill effects?
See, i am allowing server controls to be instantiated by supplying its name
and assembly name for the sole purpose of dynamically putting it on a web
page as well as setting properties of that control thru the xml. Methods of
the control are not envoked, on thing supplied to option to set properties
of this control.
I want to make sure i don't have a security risk in my xml file that could
get hijacked on the server and be manipulated in some way to do harm or
other issues to a production box.
thanks
"Kevin Yu [MSFT]" <v-****@online.microsoft.com> wrote in message
news:UZ*************@TK2MSFTNGXA02.phx.gbl... Hi TS,
What do you mean by executing a system command? If the assembly is comming
from an untrusted source, I suggest you create a code group and not giving
the assembly full permission for executing.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
Hi TS,
In this case, I think the best way is to give the assembly limited
permission set, so that the assembly will not do anything harmful if the
xml is hijacked.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
can i give permissions embedded in the code so that no server or environment
changes have to be done?
"Kevin Yu [MSFT]" <v-****@online.microsoft.com> wrote in message
news:fl**************@TK2MSFTNGXA02.phx.gbl... Hi TS,
In this case, I think the best way is to give the assembly limited
permission set, so that the assembly will not do anything harmful if the
xml is hijacked.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
Hi TS,
This policy cannot be set from the code. Because if it can be set by code,
the hackers can also do that. Then it will be no use. It can only be set
from the .NET configuration setting from in the administrative tools.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Roel Wuyts |
last post by:
CALL FOR CONTRIBUTIONS
International Workshop on Revival of Dynamic Languages
http://pico.vub.ac.be/~wdmeuter/RDL04/index.html
(at OOPSLA2004, Vancouver, British Columbia, Canada, October...
|
by: raca |
last post by:
I am trying to create a generic SOA ServiceInvoker that will accept an
XML string that will be used to deserialize an object generated by
XSDObjectGen. The hierarchy goes like this:...
|
by: Krishnan |
last post by:
Hi,
Sorry if this is a cross-post.
Wondering if there is any way to genrate Windows UI from an xml file just as
one would load a Web UI as HTML from an XML using XSLT. Please do let me
know if...
|
by: Stephen Gennard |
last post by:
Hello,
I having a problem dynamically invoking a static method that takes a
reference to a SByte*. If I do it directly it works just fine.
Anyone any ideas why?
I have include a example...
|
by: Tamir Khason |
last post by:
Is it possible (as was in VB - CallByName) to call function which name was
generated.
Example:
private static void DS_function()
{
}
private static void FD_function()
{
|
by: John |
last post by:
I have a class the reads in a file and sets the values of the file into its
properties. This class is used to populate the data onto a form. This form
has controls created at runtime based on...
|
by: Mike Livenspargar |
last post by:
We have an application converted from v1.1 Framework to v2.0. The executable
references a class library which in turn has a web reference. The web
reference 'URL Behavior' is set to dynamic. We...
|
by: Luis Arvayo |
last post by:
Hi,
In c#, I need to dynamically create types at runtime that will consist of
the following:
- inherits from a given interface
- will have a constructor with an int argument
|
by: cwertman |
last post by:
I have a question regarding dynamic properties.
I have an Object say
Account
--Id
--Prefix
--Fname
--Lname
--Suffix
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
