PropertyGrid SecurityException

  • Thread starter Thread starter Joshua Flanagan
  • Start date Start date
J

Joshua Flanagan

I've seen this question posted in a couple places on the net, but curiously,
nobody has even attempted to respond to it. Since I have also run into the
problem, I will pose it again.

I've built a simple Windows Forms application. It does not require any
special permissions, and runs perfectly when launched from a web server
("smart client").

I then add PropertyGrid control. It runs fine locally, but when I attempt
to launch it from a web server, it fails with a SecurityException: Request
failed.

Does anyone know why the PropertyGrid is considered a security risk?
Unfortunately, the required permissions don't seem to be documented. Anyone
know what I need to grant to users so that they can successfully launch this
application from the web?

I've included below a very simple demo. It will launch successfully from
the web, and then fail when you click the button (which attempts to add a
PropertyGrid).

Any feedback would be appreciated. Thanks.
-Josh


using System;

using System.Drawing;

using System.Collections;

using System.ComponentModel;

using System.Windows.Forms;

using System.Data;

namespace TestPropertyGrid

{

public class Form1 : System.Windows.Forms.Form

{

private System.Windows.Forms.Button button1;

private System.ComponentModel.Container components = null;

public Form1(){ InitializeComponent(); }

protected override void Dispose( bool disposing )

{

if( disposing ){ if (components != null) { components.Dispose(); }}

base.Dispose( disposing );

}

#region Windows Form Designer generated code



private void InitializeComponent()

{

this.button1 = new System.Windows.Forms.Button();

this.SuspendLayout();

//

// button1

//

this.button1.Location = new System.Drawing.Point(104, 104);

this.button1.Name = "button1";

this.button1.TabIndex = 0;

this.button1.Text = "button1";

this.button1.Click += new System.EventHandler(this.button1_Click);

//

// Form1

//

this.AutoScaleBaseSize = new System.Drawing.Size(5, 13);

this.ClientSize = new System.Drawing.Size(292, 273);

this.Controls.Add(this.button1);

this.Name = "Form1";

this.Text = "Form1";

this.ResumeLayout(false);

}

#endregion

[STAThread]

static void Main()

{

Application.Run(new Form1());

}



private void button1_Click(object sender, System.EventArgs e)

{

PropertyGrid myGrid;

myGrid = new PropertyGrid();

myGrid.Dock = DockStyle.Fill;

this.Controls.Add(myGrid);

}

}

}
 
The PropertyGrid works by using reflection, and you need a high level of
privileges to use reflection. That's because reflection is capable of
reading and writing the values of private and internal fields and properties
(it's not limited to public), and can call private and internal methods, on
any object. In fact, I've seen articles that suggest using reflection to
access non-published Microsoft APIs -- reflection is the only way to
instantiate and use classes in MS DLLs that were declared as internal.

As far as I know, reflection basically has no security checks once it's
figured out that you're allowed to use it at all. So, you're not allowed to
use it at all if you're untrusted code.


Joshua Flanagan said:
I've seen this question posted in a couple places on the net, but curiously,
nobody has even attempted to respond to it. Since I have also run into the
problem, I will pose it again.

I've built a simple Windows Forms application. It does not require any
special permissions, and runs perfectly when launched from a web server
("smart client").

I then add PropertyGrid control. It runs fine locally, but when I attempt
to launch it from a web server, it fails with a SecurityException: Request
failed.

Does anyone know why the PropertyGrid is considered a security risk?
Unfortunately, the required permissions don't seem to be documented. Anyone
know what I need to grant to users so that they can successfully launch this
application from the web?

I've included below a very simple demo. It will launch successfully from
the web, and then fail when you click the button (which attempts to add a
PropertyGrid).

Any feedback would be appreciated. Thanks.
-Josh


using System;

using System.Drawing;

using System.Collections;

using System.ComponentModel;

using System.Windows.Forms;

using System.Data;

namespace TestPropertyGrid

{

public class Form1 : System.Windows.Forms.Form

{

private System.Windows.Forms.Button button1;

private System.ComponentModel.Container components = null;

public Form1(){ InitializeComponent(); }

protected override void Dispose( bool disposing )

{

if( disposing ){ if (components != null) { components.Dispose(); }}

base.Dispose( disposing );

}

#region Windows Form Designer generated code



private void InitializeComponent()

{

this.button1 = new System.Windows.Forms.Button();

this.SuspendLayout();

//

// button1

//

this.button1.Location = new System.Drawing.Point(104, 104);

this.button1.Name = "button1";

this.button1.TabIndex = 0;

this.button1.Text = "button1";

this.button1.Click += new System.EventHandler(this.button1_Click);

//

// Form1

//

this.AutoScaleBaseSize = new System.Drawing.Size(5, 13);

this.ClientSize = new System.Drawing.Size(292, 273);

this.Controls.Add(this.button1);

this.Name = "Form1";

this.Text = "Form1";

this.ResumeLayout(false);

}

#endregion

[STAThread]

static void Main()

{

Application.Run(new Form1());

}



private void button1_Click(object sender, System.EventArgs e)

{

PropertyGrid myGrid;

myGrid = new PropertyGrid();

myGrid.Dock = DockStyle.Fill;

this.Controls.Add(myGrid);

}

}

}
 
Hi Joshua,
I agree with Joe, the PropertyGrid uses Reflection mechanism to get the
property and value of an object. You need grant the ReflectionPemission to
your type explicitly if you want it be access in internet code. You may try
adding the ReflectionPemission Attribute to your type which want to be
accessed in internet code. for more detail information , pleaset refer to
the following link in MSDN:
<ReflectionPemission>
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfSystemSecurityPermis
sionsReflectionPermissionClassTopic.asp?frame=true
<ReflectionPemissionAttribute>
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemsecuritypermis
sionsreflectionpermissionattributeclasstopic.asp?frame=true
Thanks!
If you still have problem on it ,please let me know.

Best regards,


Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
You should not reply this mail directly, "Online" should be removed before
sending, Thanks!

--------------------
| From: "Joe White" <[email protected]>
| References: <#[email protected]>
| Subject: Re: PropertyGrid SecurityException
| Date: Sun, 5 Oct 2003 20:21:15 -0500
| Lines: 162
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.windowsforms
| NNTP-Posting-Host: ip68-96-138-248.om.om.cox.net 68.96.138.248
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.windowsforms:53775
| X-Tomcat-NG: microsoft.public.dotnet.framework.windowsforms
|
| The PropertyGrid works by using reflection, and you need a high level of
| privileges to use reflection. That's because reflection is capable of
| reading and writing the values of private and internal fields and
properties
| (it's not limited to public), and can call private and internal methods,
on
| any object. In fact, I've seen articles that suggest using reflection to
| access non-published Microsoft APIs -- reflection is the only way to
| instantiate and use classes in MS DLLs that were declared as internal.
|
| As far as I know, reflection basically has no security checks once it's
| figured out that you're allowed to use it at all. So, you're not allowed
to
| use it at all if you're untrusted code.
|
|
| | > I've seen this question posted in a couple places on the net, but
| curiously,
| > nobody has even attempted to respond to it. Since I have also run into
| the
| > problem, I will pose it again.
| >
| > I've built a simple Windows Forms application. It does not require any
| > special permissions, and runs perfectly when launched from a web server
| > ("smart client").
| >
| > I then add PropertyGrid control. It runs fine locally, but when I
| attempt
| > to launch it from a web server, it fails with a SecurityException:
Request
| > failed.
| >
| > Does anyone know why the PropertyGrid is considered a security risk?
| > Unfortunately, the required permissions don't seem to be documented.
| Anyone
| > know what I need to grant to users so that they can successfully launch
| this
| > application from the web?
| >
| > I've included below a very simple demo. It will launch successfully
from
| > the web, and then fail when you click the button (which attempts to add
a
| > PropertyGrid).
| >
| > Any feedback would be appreciated. Thanks.
| > -Josh
| >
| >
| > using System;
| >
| > using System.Drawing;
| >
| > using System.Collections;
| >
| > using System.ComponentModel;
| >
| > using System.Windows.Forms;
| >
| > using System.Data;
| >
| > namespace TestPropertyGrid
| >
| > {
| >
| > public class Form1 : System.Windows.Forms.Form
| >
| > {
| >
| > private System.Windows.Forms.Button button1;
| >
| > private System.ComponentModel.Container components = null;
| >
| > public Form1(){ InitializeComponent(); }
| >
| > protected override void Dispose( bool disposing )
| >
| > {
| >
| > if( disposing ){ if (components != null) { components.Dispose(); }}
| >
| > base.Dispose( disposing );
| >
| > }
| >
| > #region Windows Form Designer generated code
| >
| >
| >
| > private void InitializeComponent()
| >
| > {
| >
| > this.button1 = new System.Windows.Forms.Button();
| >
| > this.SuspendLayout();
| >
| > //
| >
| > // button1
| >
| > //
| >
| > this.button1.Location = new System.Drawing.Point(104, 104);
| >
| > this.button1.Name = "button1";
| >
| > this.button1.TabIndex = 0;
| >
| > this.button1.Text = "button1";
| >
| > this.button1.Click += new System.EventHandler(this.button1_Click);
| >
| > //
| >
| > // Form1
| >
| > //
| >
| > this.AutoScaleBaseSize = new System.Drawing.Size(5, 13);
| >
| > this.ClientSize = new System.Drawing.Size(292, 273);
| >
| > this.Controls.Add(this.button1);
| >
| > this.Name = "Form1";
| >
| > this.Text = "Form1";
| >
| > this.ResumeLayout(false);
| >
| > }
| >
| > #endregion
| >
| > [STAThread]
| >
| > static void Main()
| >
| > {
| >
| > Application.Run(new Form1());
| >
| > }
| >
| >
| >
| > private void button1_Click(object sender, System.EventArgs e)
| >
| > {
| >
| > PropertyGrid myGrid;
| >
| > myGrid = new PropertyGrid();
| >
| > myGrid.Dock = DockStyle.Fill;
| >
| > this.Controls.Add(myGrid);
| >
| > }
| >
| > }
| >
| > }
|
|
|
 
Back
Top