Hey Hammett,

I'm interested to hear where you think there is security implications for
this patch. I could be completely overlooking an issue with it.

On Mon, Mar 2, 2009 at 9:52 PM, Jonathon Rossi <[email protected]> wrote:

> That is what I was thinking.
>
> However, we probably should be demanding read access for the
> EnvironmentPermission for cases where Castle assemblies are installed in the
> GAC and APTCA is used.
>
>
> On Mon, Mar 2, 2009 at 9:33 PM, James Curran <[email protected]>wrote:
>
>>
>> I don't believe so.  To exploit this, one would have to be able to
>> change a environment variable, change something which uses a URI (like
>> a view), or convince a user to run a hostile castle-based exe on their
>> system.  In all three cases, the system is already compromised.
>>
>> --
>> Truth,
>>     James
>>
>> On Mon, Mar 2, 2009 at 1:15 AM, hammett <[email protected]> wrote:
>> >
>> > Isnt there security implications on this one?
>> >
>> > On Sun, Mar 1, 2009 at 2:57 AM,  <[email protected]>
>> wrote:
>> >>  - Applied Eric Hauser's patch fixing CORE-ISSUE-22
>> >>   "Support for environment variables in resource URI"
>>
>> >>
>>
>
>
> --
> Jono
>



-- 
Jono

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Castle Project Development List" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/castle-project-devel?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to