Not sure if this has already been noted or is fixed yet, but I was just digging around in reflector and found a CAS flaw:
static XPathDocumentWriter()
{
ReflectionPermission perm = new ReflectionPermission(PermissionState.Unrestricted);
perm.Flags = ReflectionPermissionFlag.MemberAccess;
try
{
perm.Assert();
Type t = typeof(XPathDocument);
defaultConstructor = t.GetConstructor(BindingFlags.NonPublic | BindingFlags.Instance, null, Type.EmptyTypes, new ParameterModifier[0]);
loadWriterMethod = t.GetMethod("LoadFromWriter", BindingFlags.NonPublic | BindingFlags.Instance);
}
finally
{
CodeAccessPermission.RevertAssert();
}
}
CAS reversions should be done in catch-all handlers to prevent upstream exception filters from having the chance to run under elevated CAS permissions. The above code should be rewritten as:
static XPathDocumentWriter()
{
ReflectionPermission perm = new ReflectionPermission(PermissionState.Unrestricted);
perm.Flags = ReflectionPermissionFlag.MemberAccess;
try
{
perm.Assert();
Type t = typeof(XPathDocument);
defaultConstructor = t.GetConstructor(BindingFlags.NonPublic | BindingFlags.Instance, null, Type.EmptyTypes, new ParameterModifier[0]);
loadWriterMethod = t.GetMethod("LoadFromWriter", BindingFlags.NonPublic | BindingFlags.Instance);
CodeAccessPermission.RevertAssert();
}
catch
{
CodeAccessPermission.RevertAssert();
throw;
}
}
It's possible that other areas in the library need to be similarly updated. If you need more information, there is a reasonable body of knowledge on the Internet regarding this aspect of CAS.
BTW, Mvp.Xml is a really cool library, and I love using it!
static XPathDocumentWriter()
{
ReflectionPermission perm = new ReflectionPermission(PermissionState.Unrestricted);
perm.Flags = ReflectionPermissionFlag.MemberAccess;
try
{
perm.Assert();
Type t = typeof(XPathDocument);
defaultConstructor = t.GetConstructor(BindingFlags.NonPublic | BindingFlags.Instance, null, Type.EmptyTypes, new ParameterModifier[0]);
loadWriterMethod = t.GetMethod("LoadFromWriter", BindingFlags.NonPublic | BindingFlags.Instance);
}
finally
{
CodeAccessPermission.RevertAssert();
}
}
CAS reversions should be done in catch-all handlers to prevent upstream exception filters from having the chance to run under elevated CAS permissions. The above code should be rewritten as:
static XPathDocumentWriter()
{
ReflectionPermission perm = new ReflectionPermission(PermissionState.Unrestricted);
perm.Flags = ReflectionPermissionFlag.MemberAccess;
try
{
perm.Assert();
Type t = typeof(XPathDocument);
defaultConstructor = t.GetConstructor(BindingFlags.NonPublic | BindingFlags.Instance, null, Type.EmptyTypes, new ParameterModifier[0]);
loadWriterMethod = t.GetMethod("LoadFromWriter", BindingFlags.NonPublic | BindingFlags.Instance);
CodeAccessPermission.RevertAssert();
}
catch
{
CodeAccessPermission.RevertAssert();
throw;
}
}
It's possible that other areas in the library need to be similarly updated. If you need more information, there is a reasonable body of knowledge on the Internet regarding this aspect of CAS.
BTW, Mvp.Xml is a really cool library, and I love using it!
