I have a custom control that is embedded (using the object tag) in an html document.
- The control takes a path to a local client ini file.
- Reads the file.
- Executes the program specified in the ini on the client's PC.
- After the program has ended the control looks in a client side temp folder (specified by the ini file) for an image created by the executed program.
- If the image is there, then the control moves the file to a public folder on the server, and posts back to the server.
After this the server does "it's thing" with the image
So I've compiled the code and of course have security issues when running the control in IE (on localhost). I know that the use of the System.Diagnostics.Process is what is causing the problems. Example is that my sub StartScan() won't even pop up the message box because it uses System.Diagnostics.Process within itself, while the sub Test() will pop up the box with no problems. There are fusion errors, but cannot make sense of them. I've placed them at the bottom of this message if someone would like to take a look. Also changing the process isn’t a workaround. My department doesn't always know what program is used for scanning. The scanner is very old (plot size scanner) so any MS possibilities are also not doable (plus would require more coding for features). Also I never know where the app they are going to try to run, so changing the permissions to allow their local ASP user to run the program isn't a solution. The main problem here is that I want the code to run under the user's credentials within the IE browsers. It seems like it would be some type of impersonation, but I can only find examples for impersonation in ASP.NET or examples showing you how to run a process under another user if you know their name and password.
Any help is greatly appreicated.
Things I've already done
- gacutil /cdl and remove temporary internet files between every build
- Have given the control a strong name using a .snk file
- Have turned off security using caspol -s off
- Have given fulltrust
And of course the control will run inside of a stand alone VB.NET app without any problems (doesn't post to a server). When I do a “run as…” on the little VB.NET app, it inherits the given user’s permissions correctly (I’ve tested it with file permissions).
Also here are outputs telling what are the groups and permissions
caspol -all -resolvegroup c:\inetpub\wwwroot\docsuite\ClientHelper.dll
Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.2. Zone - MyComputer: FullTrust
Level = User
Code Groups:
1. All code: FullTrust
Success
--------------------------------------------------------------------------------------------------------
caspol -all -resolvegroup //localhost/docsuite/ClientHelper.dll
Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
The assembly at //localhost/docsuite/ClientHelper.dll cannot be loaded. Caspol
can make a partial determination of what evidence would be associated with this
assembly. If this evidence is used, the results are not necessarily accurate or
complete. Would you like to continue this operation using partial evidence? (y
es/no)
y
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.4. Zone - Internet: Internet
1.4.1. All code: Same site Web.
Level = User
Code Groups:
1. All code: FullTrust
Success
****And here is the code.****
-
Imports System.IO
-
Imports System.Security.Permissions
-
-
Namespace DocSuiteClient
-
-
Public Class ClientHelper
-
Inherits System.Windows.Forms.Control
-
-
#Region " Component Designer generated code "
-
-
Public Sub New()
-
-
-
MyBase.New()
-
-
' This call is required by the Component Designer.
-
InitializeComponent()
-
-
'Add any initialization after the InitializeComponent() call
-
End Sub
-
-
'Control overrides dispose to clean up the component list.
-
Protected Overloads Overrides Sub Dispose(ByVal disposing As Boolean)
-
If disposing Then
-
If Not (components Is Nothing) Then
-
components.Dispose()
-
End If
-
End If
-
MyBase.Dispose(disposing)
-
End Sub
-
-
'Required by the Control Designer
-
Private components As System.ComponentModel.IContainer
-
-
' NOTE: The following procedure is required by the Component Designer
-
' It can be modified using the Component Designer. Do not modify it
-
' using the code editor.
-
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
-
components = New System.ComponentModel.Container
-
End Sub
-
-
#End Region
-
-
Protected Overrides Sub OnPaint(ByVal pe As System.Windows.Forms.PaintEventArgs)
-
MyBase.OnPaint(pe)
-
-
'Add your custom paint code here
-
End Sub
-
-
'<ComClass(ComClass1.ClassId, ComClass1.InterfaceId, ComClass1.EventsId)> _
-
-
-
Protected Overrides Sub Finalize()
-
-
myProcess.Dispose()
-
-
-
MyBase.Finalize()
-
End Sub
-
-
#Region "Default Consants"
-
'defaults incase the ini file is not to be found
-
Private Const gTmpImgPath As String = "c:\temp"
-
Private Const gTmpFileName As String = "tmp"
-
Private Const LocalIniPath As String = "C:\"
-
Private Const LocalIniFile As String = "MyINI.ini"
-
Private Const DwgScanProg As String = "notepad"
-
#End Region
-
-
#Region "Private Member Vars"
-
-
-
-
Private ME_INIPath As String = ""
-
Private ME_Ready As Boolean = False
-
Private ME_ErrMsg As New System.Collections.ArrayList 'Link list for easy error adding
-
Private ME_TmpImageFile As String = ""
-
Private TmpImagePath As String = ""
-
Private strIniLine As String = ""
-
Private ME_WorkingDirectory As String = ""
-
Private ME_Params As String = ""
-
Private ME_Scanning As Boolean = False
-
Private ME_FileName As String = ""
-
Private myProcess As System.Diagnostics.Process
-
#End Region
-
-
#Region "Public Properties"
-
Public Property WorkingDirectory() As String
-
Get
-
Return Me.ME_WorkingDirectory
-
End Get
-
Set(ByVal Value As String)
-
Me.ME_WorkingDirectory = Value
-
End Set
-
End Property
-
Public Property TmpImageFile() As String
-
Get
-
Return Me.ME_TmpImageFile
-
End Get
-
Set(ByVal Value As String)
-
Me.ME_TmpImageFile = Value
-
End Set
-
End Property
-
-
Public ReadOnly Property FileName() As String
-
Get
-
Return (Me.ME_FileName)
-
End Get
-
End Property
-
Public ReadOnly Property Ready() As Boolean
-
Get
-
Return (Me.ME_Ready)
-
End Get
-
End Property
-
Public ReadOnly Property ErrMsg() As String
-
Get
-
'join the ArrayList with newlines for nice printing
-
Return (Join(CType(Me.ME_ErrMsg.ToArray(GetType(String)), String()), vbNewLine & "------------------------------" & vbNewLine))
-
End Get
-
End Property
-
Public Property IniPath() As String
-
Get
-
Return (Me.ME_INIPath)
-
End Get
-
Set(ByVal Value As String)
-
Me.ME_INIPath = Value
-
End Set
-
End Property
-
Public ReadOnly Property Scanning() As Boolean
-
Get
-
Return (Me.ME_Scanning)
-
End Get
-
End Property
-
#End Region
-
-
#Region "Public Events"
-
Public Event ScanComplete()
-
Public Event ScanFailed()
-
#End Region
-
-
-
-
-
#Region "Public Subs/Funcs"
-
-
-
Public Sub StopScan()
-
'stops the waiting process
-
Me.ME_Scanning = False
-
-
myProcess.Kill()
-
-
End Sub
-
-
Public Sub Test()
-
MsgBox("Test")
-
End Sub
-
-
Public Sub StartScan()
-
-
MsgBox("startScan")
-
If Not (Me.ME_Scanning) Then
-
If Me.ME_Ready = False Then Me.LoadIni()
-
-
If Me.ME_Ready Then
-
Try
-
-
'insure our drop directory exists
-
If Not (Directory.Exists(Me.TmpImagePath)) Then Directory.CreateDirectory(Me.TmpImagePath)
-
'clear out the drop file name if it exists for some reason
-
If File.Exists(Me.TmpImagePath & "\" & Me.TmpImageFile) Then File.Delete(Me.TmpImagePath & "\" & Me.TmpImageFile)
-
-
-
' create a new process
-
-
-
myProcess = New System.Diagnostics.Process
-
With myProcess
-
.StartInfo.FileName = Me.strIniLine
-
.StartInfo.Arguments = Me.ME_Params
-
.EnableRaisingEvents = True
-
AddHandler .Exited, AddressOf Me.ProcessedEnded
-
Me.ME_Scanning = True
-
.Start()
-
End With
-
-
-
-
Catch ex As Exception
-
Me.ME_ErrMsg.Add("Error in StartScan" & vbNewLine & "Exe at " & Me.strIniLine & vbNewLine & ex.Source & vbNewLine & ex.Message)
-
Me.ME_FileName = ""
-
-
Finally
-
-
-
End Try
-
-
End If
-
End If
-
End Sub
-
#End Region
-
-
#Region "Private Subs/Funcs"
-
-
Private Sub ProcessedEnded(ByVal sender As Object, _
-
ByVal e As System.EventArgs)
-
MsgBox("Fired ProcessedEnded")
-
-
'check flag to insure we got here because the app was closed
-
If Me.ME_Scanning Then
-
-
Me.ME_Scanning = False
-
Me.ME_FileName = Me.TmpImagePath & "\" & Me.TmpImageFile
-
-
If PerformMove() Then
-
RaiseEvent ScanComplete()
-
Else
-
Me.ME_FileName = ""
-
RaiseEvent ScanFailed()
-
End If
-
-
Else
-
-
'app was not closed, user cancelled scan from form
-
Me.ME_FileName = ""
-
Me.ME_ErrMsg.Add("Scanning process stopped by user")
-
-
End If
-
-
-
-
End Sub
-
-
Private Sub LoadIni()
-
MsgBox("LoadIni")
-
Dim AtPass As Integer = 0
-
Dim tmpLine As String = ""
-
-
strIniLine = ""
-
'check to see if we can find the ini, if not, load defaults
-
-
Try
-
If Not (File.Exists(Me.IniPath)) Then
-
Me.ME_ErrMsg.Add(Me.IniPath & " cannot be found. A defaults will be used.")
-
Me.strIniLine = DwgScanProg
-
Me.ME_Params = "-T" & "Scan" & "-nodbs" & "-F" & "@" & gTmpFileName & "-P" & "@"
-
Else
-
-
Dim istream As New StreamReader(Me.IniPath)
-
tmpLine = istream.ReadLine
-
Dim pass As Integer = 0
-
Do While tmpLine <> ""
-
-
If pass = 0 Then Me.strIniLine = tmpLine
-
pass += 1
-
If Microsoft.VisualBasic.Strings.Left(tmpLine, 1) = "@" Then
-
If AtPass = 0 Then
-
TmpImageFile = Microsoft.VisualBasic.Strings.Right(tmpLine, Len(tmpLine) - 1) & ".tif"
-
Me.ME_Params &= TmpImageFile & " "
-
AtPass = 1
-
Else
-
TmpImagePath = Microsoft.VisualBasic.Strings.Right(tmpLine, Len(tmpLine) - 1)
-
Me.ME_Params &= TmpImagePath & " "
-
End If
-
Else
-
Me.ME_Params &= tmpLine & " "
-
-
End If
-
tmpLine = istream.ReadLine
-
Loop
-
-
istream.Close()
-
istream = Nothing
-
End If
-
Catch ex As Exception
-
-
-
Me.ME_ErrMsg.Add(Me.IniPath & " cannot be read from." + vbNewLine + ex.Source + vbNewLine + ex.Message)
-
-
End Try
-
-
-
Me.ME_Ready = True
-
-
End Sub
-
-
Private Function PerformMove() As Boolean
-
'will move the file to the working directory
-
PerformMove = False
-
-
-
Try
-
-
File.Copy(Me.FileName, Me.WorkingDirectory & "\" & Me.TmpImageFile, True)
-
' File.Delete(Me.FileName)
-
PerformMove = True
-
-
Catch ex As Exception
-
-
Me.ME_ErrMsg.Add("Copying scanned file " & Me.FileName & " to working directory " & Me.WorkingDirectory & " Failed" & vbNewLine & _
-
ex.Source & vbNewLine & ex.Message)
-
-
End Try
-
-
-
-
End Function
-
#End Region
-
-
-
-
End Class
-
-
-
-
End Namespace
*****Fusion Errors******
*** Assembly Binder Log Entry (6/19/2007 @ 2:21:16 PM) ***
The operation failed.
Bind result: hr = 0x80070002. The system cannot find the file specified.
Assembly manager loaded from: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rwks.dll
Running under executable C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- A detailed error log follows.
=== Pre-bind state information ===
LOG: User = <my user name>
LOG: DisplayName = Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
(Fully-specified)
LOG: Appbase = http://localhost/
LOG: Initial PrivatePath = bin
LOG: Dynamic Base = NULL
LOG: Cache Base = NULL
LOG: AppName = IEXPLORE.EXE
Calling assembly : (Unknown).
===
LOG: Start binding of native image Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
WRN: No matching native image found.
*** Assembly Binder Log Entry (6/19/2007 @ 2:21:15 PM) ***
The operation failed.
Bind result: hr = 0x80070002. The system cannot find the file specified.
Assembly manager loaded from: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rwks.dll
Running under executable C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- A detailed error log follows.
=== Pre-bind state information ===
LOG: User = <my user name>
LOG: DisplayName = IIEHost, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
(Fully-specified)
LOG: Appbase = file:///C:/Program Files/Internet Explorer/
LOG: Initial PrivatePath = NULL
LOG: Dynamic Base = NULL
LOG: Cache Base = NULL
LOG: AppName = IEXPLORE.EXE
Calling assembly : IEHost, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
===
LOG: Start binding of native image IIEHost, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
WRN: No matching native image found.
*** Assembly Binder Log Entry (6/19/2007 @ 2:21:15 PM) ***
The operation failed.
Bind result: hr = 0x80070002. The system cannot find the file specified.
Assembly manager loaded from: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rwks.dll
Running under executable C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- A detailed error log follows.
=== Pre-bind state information ===
LOG: User = <my user name>
LOG: DisplayName = IEHost, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
(Fully-specified)
LOG: Appbase = file:///C:/Program Files/Internet Explorer/
LOG: Initial PrivatePath = NULL
LOG: Dynamic Base = NULL
LOG: Cache Base = NULL
LOG: AppName = IEXPLORE.EXE
Calling assembly : (Unknown).
===
LOG: Start binding of native image IEHost, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.
WRN: No matching native image found.
