 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / September 2006deserialize and "medium trust"
The following c# code: [...] XmlSerializer serializer = new XmlSerializer(typeof(myClassType)); StringReader reader = new StringReader(tmpstring); _data = (myClassType)serializer.Deserialize(reader); [...] works great on a web server with .net application security set on "FULL TRUST", instead on "deserialize" method I receive a "There is an error in XML document (1, 2)" Exception if the .net application security of the server is set on "MEDIUM TRUST". Because I need to deserialize an XML into a c# class from an application that runs on a shared hosting server, is there any way to avoid/bypass this error? BTW why "deserialize" can't work in a MEDIUM TRUST environment? What kind of security risk is there inside? thanks a lot!!! G XmlSerializer works fine in partial trust - the only thing i can think of is that you don't have FileIOPermission to the C:\Windows\Temp directory - thats where XmlSerializer creates a temorary assembly... I would suggest to first try to run the app locally in MEDIUM to see if you can repro the error - and then add the temp directory to the medium trust config file for double checking...it may be a provider misconfiguration. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > The following c# code: > [quoted text clipped - 17 lines] > thanks a lot!!! > G Sept. 23, 2006 ... Yup - there are risks involved.... The problem is, if you have a file containing an object with a filepath to an assembly some other person just scheduled for you to run (and you are under a high account like SYSTEM, while it only takes a lower account to schedule it... thereby be an elevation or privilege concern).... then the object could be replaced by some hacker, with the filepath of a different and destructive assembly. This is just a single example.... but I think it is clear enough to get the point across... basically, you need to grant your code the required trust level, which also means you are putting full confidence in yourself & that assembly that it takes the proper precautions to make sure it hasn't been modified, and that people who are giving the object to you and its communication channel and such are secure.... Hope this helps!  SignatureJoseph Bittman Microsoft Certified Solution Developer Microsoft Most Valuable Professional -- DPM Blog/Web Site: http://CactiDevelopers.ResDev.Net/ > The following c# code: > [quoted text clipped - 18 lines] > thanks a lot!!! > G Have the same problem with the hoster VWDhosting.net (available for testing asp net applications). When trying webservice the website gives an error and hangs. Found out the problem is that account Network Service has no read/write right to the c:\windows\temp folder. Is it possible to redirect (web.config ?) the temp folder to a subfolder of the website of whom you can control the read/write access ? -- Sent via .NET Newsgroups http://www.dotnetnewsgroups.com Hi, no thats not possible - the hoster has to fix this. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > Have the same problem with the hoster VWDhosting.net (available for > testing asp net applications). [quoted text clipped - 10 lines] > Sent via .NET Newsgroups > http://www.dotnetnewsgroups.com Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.