Re: XmlSerializer and Security

From: AndrewEames (AndrewEames_at_discussions.microsoft.com)
Date: 02/02/05 

Date: Wed, 2 Feb 2005 14:17:05 -0800

.NET framework 1.1 - no service pack

And yes, foo is in the same assembly

I can send you the project if its any help but its no more than I included
here
Make sure the exe is strong named and my computer settings are set to low
trust

This is the stack trace if it helps

 
        f_jsqp-i!Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReader1.Read4_foo() + 0x7c bytes
         system.xml.dll!System.Xml.Serialization.TempAssembly.InvokeReader(int
methodIndex = 0x0, System.Xml.XmlReader xmlReader =
{System.Xml.XmlTextReader}, System.Xml.Serialization.XmlDeserializationEvents
events = {System.Xml.Serialization.XmlDeserializationEvents}, string
encodingStyle = null) + 0xcd bytes
 
        system.xml.dll!System.Xml.Serialization.XmlSerializer.Deserialize(System.Xml.XmlReader
xmlReader = {System.Xml.XmlTextReader}, string encodingStyle = null) + 0xf0
bytes
 
        system.xml.dll!System.Xml.Serialization.XmlSerializer.Deserialize(System.IO.TextReader textReader = {System.IO.StringReader}) + 0x59 bytes
> XmlSerializerTrust.exe!XmlSerializerTrust.Form1.button1_Click(System.Object sender = {Text="button1"}, System.EventArgs e = {System.EventArgs}) Line 95 + 0x23 bytes C#

And the error is

A first chance exception of type 'System.Security.SecurityException'
occurred in f_jsqp-i

Additional information: Security error.

  Andrew

"Nicole Calinoiu" wrote:

> Sorry, but I'm still not getting an exception. What version of the .NET
> framework are you using? Also, just to be sure, is the foo class in the
> same assembly as the code that's performing the serialization and
> deserialization?
>
>
>
> "AndrewEames" <AndrewEames@discussions.microsoft.com> wrote in message
> news:69623431-9E7F-412A-8399-25EAE5DD572D@microsoft.com...
> > My pleasure :)
> >
> > Create a windows c# GUI applcation
> > Strongly name it
> > Add a button with the following code
> >
> > public class foo
> > {
> > }
> >
> > private void button1_Click(object sender, System.EventArgs e)
> > {
> > XmlSerializer s = new XmlSerializer(typeof(foo));
> > StringWriter sw = new StringWriter();
> > s.Serialize(sw,new foo());
> > string ss = sw.ToString();
> > s.Deserialize(new StringReader(ss));
> > }
> >
> > In the .NET security applet, goto trust an assembly, select the exe you
> > just
> > built and trsut every assembly with its public key
> >
> > Now modify security for My Computer to be Low Trust.
> >
> > Run the app above and press the button - the call to Deserialize above
> > will
> > throw a security exception, The undesirable workaround is to add the APTCA
> > to
> > the executable
> > Thanks for any insight
> > Andrew
> >
> >
> >
> >
> > "Nicole Calinoiu" wrote:
> >
> >> Andrew,
> >>
> >> I've tried to repro, and it would seem that mere "use" of XmlSerializer
> >> is
> >> not sufficient to trigger the problem you describe. Might you be able to
> >> provide an example (as described at
> >> http://www.yoda.arachsys.com/csharp/complete.html) that demonstrates the
> >> problem?
> >>
> >> Nicole
> >>
> >>
> >>
> >> "AndrewEames" <AndrewEames@discussions.microsoft.com> wrote in message
> >> news:A65166EC-6DB1-42FF-844B-DD6EF639122E@microsoft.com...
> >> > I've just run into a rather pesky issue. If I use the XmlSerializer
> >> > class from a strongly named assembly, the generated assembly makes a
> >> > demand for full trust if the strongly named assembly doesn't have the
> >> > AllowPartiallyTrustedCallers attribute. Some of my customers have IS
> >> > policies where they only grant full trust to assemblies with certain
> >> > strong names so the temporary assemblies generated by the XmlSerializer
> >> > don't of course have full trust.
> >> >
> >> > The corollary of this appears to be that any strongly named assembly
> >> > that uses XmlSerializer *must* have the AllowPartiallyTrustedCallers
> >> > attribute. I don't really want to add this attribute to my assemblies
> >> > but it appears I have no choice - can someone please tell me I am
> >> > wrong?
> >> > Thanks
> >> > Andrew
> >> >
> >>
> >>
> >>
> >>
> >>
>
>
>