I think it's pretty common in shared hosting environments that ASP.NET is
not running with Full Trust. GoDaddy.com, for example; I believe doesn't
let it's user's sites run with Full Trust. I don't know what its policy
settings are with regard to AspNetHostingPermission though...
AspNetHostingPermission, I believe ensures application code cannot be used
in other partial-trust environments without an administrator setting
specific policies. i.e. the code can't be executed from outside of an
ASP.NET host, unless it has full trust.
The ReviewVisibleEventHandlers occurs because FxCop views your OnPreRender
method as an event method (because it contains an EventArgs argument).
Since method that invokes an event isn't necessarily in the call stack
when the event method is executed, lower-privileged code can end up
executing higher-privileged code. I think it's slightly noisy because
technically that could happen for any non-private method. I'm not sure,
but imperative demands within OnPreRender may placate FxCop.
On Fri, 16 Nov 2007 12:53:51 -0500, Bill Bassler <[EMAIL PROTECTED]>
wrote:
>I often see the MSDN ASP.NET webcontrol samples that include the following
>CAS class declaration.
>
>[AspNetHostingPermission(SecurityAction.LinkDemand, Level =
>AspNetHostingPermissionLevel.Minimal)]
>[AspNetHostingPermission(SecurityAction.InheritanceDemand, Level =
>AspNetHostingPermissionLevel.Minimal)]
>public class MyWebControl : System.Web.UI.WebControls.WebControl
>{
>
>From my very basic knowledge CAS, this would seem to be to enforce
>restricting that immediately calling code and/or a derived class from
>doing anything but the most trival processing. By default, ASP.NET runs at
>Full trust. So, is the MSDN sample code trying to convey placing some
>basic security demands for ASP.NET in partial trust environments?
>
>One problem is that if you decorate a class as above FXCop 1.3.5 creates a
>ReviewVisibleEventHandlers criticalerror when an attempt is made to
>override base class methods in the control.
>
> protected override void OnPreRender(EventArgs e)
> {
> base.OnPreRender(e);
>
>
> "It appears that an event handler is externally visible
> or that an EventArgs parameter is being exposed in
> a visible method decorated with a security demand.
> There can be problems exposing sensitive functionality
> in an event handler function; the security demand might
> not do what you expect."
>
>So I would like to know how I should proceed to implement CAS/or not to in
>the contol to make it as flexible (non-full trust environments) and safe
>as possible. Do I need any CAS declarations at all? It's a web UI control
>and really doesn't do anything that I can imagine that could be of harm
>in the event handler function(s) in question.
===================================
This list is hosted by DevelopMentorĀ® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
