I need help understanding Silverlight 4 security - silverlight

Does anyone else think Silverlight 4 security is a bit screwball?
Look at the following scenario:
Silverlight when set to trusted app, and run out of browser mode allows you to browse for a file using the file open dialog.
You require the name of the path of the file to open it up from any COM automation. For example (excel/word) but this could be anything.
It is impossible to get the full path of the file from the dialog because of security restrictions
You can however using COM FileSystemObject - do what ever you want to the users file system, including create folders, move and delete files.
So in other words, why all the fuss about security in Silverlight, which actually hinders real business use cases, when its possible to access any file anyways using COM?
To say it another way, if a user runs a malicious silverlight app, its unlikely they'll say - oh well it was COM at fault. The COM was afterall being called by a Silverlight app.
Here is what I mean....
User browses for file - c:\myFile.xls
Silverlight prevents you from getting the path (for security reasons)
Silverlight only lets you work with my documents
Using COM you can do what ever you want to the file system in the background anyways. Including copying that file now to my documents, if only you knew the name! But besides that you can wipe any file potentially if its not in use.
In my opinion Silverlight security model is flawed, either they should have given developers full trust and allow us to run apps as if they were running locally
or
Not allowed Silverlight to access COM.
Is it just me, or can anyone else see that its a bad implementation?
This triggers security alerts:
OpenFileDialog flDialog = new OpenFileDialog();
FileInfo fs = flDialog.File;
string fileName = fs.FullName;
This doesn't
dynamic fileSystem = AutomationFactory.CreateObject("Scripting.FileSystemObject");
fileSystem.CopyFile(anyFileName,anyDestination);

I don't agree with your point of view. The fact that you can do pretty much anything that an installed COM object will allow you to do is not a reason to modify a whole bunch of existing Silverlight code to allow you to do those same things.
Why? Because in the process of opening up that code there is also an increase chance that in some unintended way that same code could get run when the Silverlight component is not running in trusted mode. If that were to happen even once the media would all over it in a shot and Silverlight's reputation would, probably unfairly, be in tatters.
Personally I'm quite happy with the very cautious approach to security that MS are taking with Silverlight.

some Silverlight controls such as the OpenFileDialog work in both trusted and untrusted mode. These controls have been ported from previous versions of Silverlight where the new levels are elevated trust were not a consideration.
Thank you to Anthony for pointing this out.
Developers need to be aware of the definition of trust we are discussing here. Running a Silverlight application in full trust with elevated privileges IS NOT the same thing as running a local Silverlight Windows based Application. It is also far more restrictive than ActiveX.
Its possible that the trust here provided in Silverlight suits your particular business requirement. It is however likely that there are scenarios where you will find Silverlight too restrictive, its best to do your research upfront, and run code samples to ensure you can do the critical stuff, before jumping in head over heels.

Microsoft guarantees that public Silverlight API has the same behavior for both for Windows and MacOS platforms. So the functionality is many ways limited by the common denominator and technical feasibility. Please treat COM introp as a specific case addressing only Windows platform and only in full trust mode and it is not going to work the same for other platforms. So the security restrictions are valid as they are the same for both worlds in terms of API reuse.

I agree with the original poster. I think it's bad implementation. We are given a built in dialog to browse for a file, including directory structure. We can select a file and get a FileInfo object, but security prevents us from getting the FullName (directory and file name). Why? How does that improve security? What's the point of the open file dialog to begin with?
And as the original poster mentioned, with those dynamic objects, we can modify the local file system... which seems like the possible security hole.
All I want to do is read some data from an excel file... a way for my users to import excel data into the application, and the file could be saved anywhere on their machine. These are sales reps using an excel files to record orders locally until they can get to an internet connection. Who knows where they all save that file... so I'm not going to try to suggest we tell them all to store it in the same place in "my documents". I'll get laughed at if I suggest that.
It seems like it should be incredibly simple. But that "security measure" that keeps us from getting the directory the user chose from the built in open file dialog makes it so that we can't use the dialog for the purpose it was created for.
So what's the alternative? Is there a way to pick files using those dynamic objects? Do I have to write my own file selection tool using those objects that can modify the file system? Since I don't need anything but to read the file, and because I read something somewhere that we do have access to the file stream... is there a way to using the file stream to open up the file for reading using the AutomationFactory?

Related

what technology should i used to build an window app run with cloud services

I have a software requirement like that:
An app run on window but this app can connect to server to get and use its file by user.
User A can Log in, View all his file from server, Create new file, Edit content, Upload, Share file, View share file of another user.
I usually use .Net framework.
So what technology should i used to resolve this requirement
I really need some advice helpful
Thank!!!
Based upon the comments, I would advice to go for a clean separation between your UI and application functionality.
This will allow you to build possible multiple interfaces ( Win8, Mobile, ... ) for the same application. For Windows environment and you are used to .NET I suggest you take a look at WPF ( Windows Presentation Foundation ). I'm sure you will find that some people already created pretty solid file managers in WPF. It could serve as a good base for yours.
Few pointers if you look at WPF, look on http://www.codeplex.com for frameworks that could ease your coding. (Caliburn.Micro, PRISM, ... ). A very popular pattern is MVVM, this will structure your code so you can easy adjust it in the future.
Further more I think you can get very far with the windows build in libraries to manage the files.
For the editing you'll find a nice challenge to do that in the application, the easy road would just be to let the user open the file from the application into it's proper environment ( e.g.: a word document in Word, excel document in excel, etc.. ).
To get sharing going, multiple options are available. I'm think of sending email links, in application notifications, etc... Sharing could also mean that you set certain permissions on those files. For this you could take it to the limit of domain security management ( talking to an active directory to get the proper permissions etc. ) or you could simple implement your own into your application and restricting it on that level.

Ability to detect if this is the users first login to Windows 7

I have an windows application (WPF) in which we are running on each login, however when the user first logs into a new PC the application will need to do some specific tasks, but only on the users first login and never on subsequent times.
Is there a way in .Net 3.5 to query wether the user has logged in before (ie some kind of login count)?
Failing any native support I will create a txt file in the users registry however I wanted to know if there is a native way of achieving this first.
We use redirected folders so the user may have already logged into a PC on our network these special events should only occur when the user hasnt logged in onto the PC and Windows has had to create a new profile for the user on the PC.
If I am not clearly explaining what I am seeking, please dont hesiate in letting me know.
Matt
Failing any native support I will create a txt file in the users registry however I wanted to know if there is a native way of achieving this first.
I'd recommend going with this option. Don't try to detect it, just create your own state on first run.
I suggest this, not because it is technically impossible to achieve the functionality you describe, but because it is a better user experience. It provides an easy way to re-do the action without having to recreate the user.
... a txt file in the users registry ...
I'm not sure what this means. You can create text files under the user's profile directory, and you can insert string values in the registry (but not files of any sort).
As for the particular mechanism, I suggest you consider:
An App.Config value. Clearing out the value is easier to support or batch-script than a registry value, and makes the user less scared that their machine will explode if you have to tell them to edit the settings. Users are scared of the registry.
A sentinel text file under the user profile directory. Wiping out the file is super-easy to support and batch-script. Instead of editing a text file, they can just delete one. But this makes it so you have multiple config mechanisms, so multiple points of failure. I'd only do this if I were using the App.Config for additional settings in the program and thought the user wouldn't be technical enough to hand edit it.
The windows registry. Remote registry access might be easier than remote file access, if you're having to do remote troubleshooting. It also might be easier to mess with via group policy, in case this is an intranet app and you need to force a re-run on all machines in your org.
I'd carefully consider my options and which is most likely to ease support (be understandable by my users) before committing to one. I'd also consider the remote-troubleshooting/remote reset scenario.
This may not be what you're looking for but I'm hoping it will help you anyway.. I do not know from the top of my head how to do this in WPF but I do know you can use an "unattend.xml" file and the FirstLogonCommands to execute a script or application on first logon. I have used this for Windows 7, it may not apply to XP.

In a local WPF Web Browser Application how do I write to a file? Sandbox doesn't allow?

So I have a local WPF web browser application and I need it to write to a text file. However I always get the an exception of type System.Reflection.TargetInvocationException. I don't get any more information but I'm pretty sure it is because it is being run from a web browser (security etc.).
The code I am using works in a regular windows form application etc. it is the usual:
StreamWriter sw;
sw = File.CreateText("c:\\myTextFile.txt");
sw.WriteLine("First line");
sw.Close();
So, is there a workaround for this?
Many thanks,
Thomas
You could try running in Full Trust mode.
WPF in a browser is going to default to partial trust. You can change that in the Security tab in Project Properties (subject, of course, to it being installed by a trusted user).
The issue is not WPF security problems. The issue is an operating system security feature in play: you can't write to the root of the C: drive without admin privs. Not only would your app need to be in WPF Full Trust mode, but you'd need to grant your app administrative priveledges on Vista and Windows 7 and beyond.
All that said, you should be able to write to files in non-protected paths. For example, you could write to a temporary file as returned by Path.GetTempFilePath(). However, it's likely your WPF browser app will still have to be running in full trust to write to disk at all.
See this page, describing Partial Trust security considerations. If you need to store the file for your own application's use, consider using Isolated Storage. If you want to allow the user to save a file to disk, you can use SaveFileDialog.OpenFile to allow the user to choose a path and confirm saving the file.

Does Silverlight 4's WriteableBitmap *really* cripple legit cross-domain access in the name of DRM?

In this thread from a year ago it's explained that WriteableBitmap will block read access when any part of it comes from an outside domain - say a free image server.
It's further elaborated upon that this is for "DRM". I guess there's some big threat of someone writing a movie-ripper in Silverlight that includes a movie from another domain and then re-captures it... except for the realization you can just rewrite the bloody xap as it comes down the wire and then it's same-domain! But that's neither here nor there.
Anyway, obviously I'm trying to use WritableBitmap to export a screenshot of the user's current setup; but I'm stopped by this cross-domain issue.
Is there really no supported way to do this in the latest version of Silverlight? No crossdomain.xml or clientaccesspolicy.xml? Isn't this crippling for Silverlight - a giant "Screw You", putting half-hearted security roadblocks in that impede developers but don't stop attackers?
Edit: This question is identical to this question here.
Your sentiment is shared by many, many devs trying to do this for legit purposes. There are some work-arounds out there, all of them either hacky or bizarro. But this is probably the best one I've seen: Screen Capture in SIlverlight 4.0.
Just read again and saw that you're not looking for a crossdomain.xml solution. This page has some other options (again, no solution out there is "great"): http://betaforums.silverlight.net/forums/t/118030.aspx
Also, not sure if this is an option, but your app as an OOB app will not be restricted to security checks in ClientAccessPolicy.xml or CrossDomain.xml. Is Out-of-Browser an option for you?
EDIT:
Upon further review of the post and comments, I believe (Tom, please confirm this) that the need isn't to get a screenshot of the user's instance of the SL app running on their own box (which something like Customer Support in Silverlight would take care of pretty well).
Rather, it is to take picture of the user's screen (same as PrtSc-ish). In this case, it is a lot tougher, but not impossible. Rui show's how he does it here, but it relies on a component already being on a user's machine. Jeremy get's even more creative with Silverlight 4 Hack: Use Native/Desktop CLR Without COM Registration, which would effectively allow access.
This WritableBitmap behavior have nothing to do with DRM and everything to do with security. If the screenshot you trying to take shows image element with content from different domain then that domain must have crossdomain.xml file with appropriate permissions. You can contact domain owner and ask them to place crossromain.xml in the root of their domain.
Alternatively, Full-Trust OOB application should do the trick since it doesn't check for crossdomain.xml.
Ok, If you have <Image Source="http://crossdomain.com/someimage.jpg" /> in your visual tree and you try to create WriteableBitmap from it, that WriteableBitmap's pixel access will be locked, crossdomain.xml or not. (Shame on you microsoft). Good news (sorta) is, you can use following workaround: Load image using WebClient; call SetSource on image with stream from OpenReadCompleted handler. Create your WriteableBitmap and notice how Pixels property doesn't throw security exception anymore. Far from ideal, but manageable.
As explained in the identical question the only way to get silverlight to allow you to get the content out of a Writeable Bitmap without any of the following:
Out-of-browser
Service/Code/App/Rooted GAC otherwise installed on the user's Machine
Elevated Trust
is to proxy the content and trick silverlight into thinking it's all from the same domain.

Can Silverlight (SLOOB) start a process even with full trust?

I have been tasked with writing an installer with a silverlight out of browser application. I need to.
get the version off a local EXE
check a web service to see that it is the most recent version
download a zip if not
unpack the zip
overwrite the old EXE
start the EXE
This installer app is written in .NET WinForms now but the .NET framework is an obstacle for people to download.
The recommended solution is to use a SLOOB however i am not sure how to assign full trust. If i assign full trust can I start a process.
Thanks
Looking into this, I suspect you're going to have to create the process using WMI through the COM interface. At the end of the day, that makes this a very difficult option and very subject to failure due to a host of reasons (WMI being disabled or secured, user won't give full trust, etc.) I suspect you would be much better off creating a .msi deployment package or something similar that was able to go out and download the framework, if necessary. There are a lot of deployment models available, almost all of which feel superior to this one.
That said, if you're going to do this:
To get the COM object, you're going to want to use the AutomationFactory.CreateObject(...) API. Tim Heuer provides a sample here.
To actually do the WMI scripting, you're going to want to create the WbemScripting.SWbemLocator object as the root. From there, use the ConnectServer method to get a wmi service on the named machine. You can then interrogate the Win32_Process module to create new processes.
Edit: I spent a little time working on this and, even on my local machine as Admin I'm running into security problems. The correct code would be something similar to:
dynamic locatorService = AutomationFactory.CreateObject("WbemScripting.SWbemLocator");
dynamic wmiService = locatorService.ConnectServer("winmgmts:{impersonationLevel=impersonate,authentationLevel=Pkt}//./root/cimv2");
dynamic process = wmiService.Get("Win32_Process");
dynamic createParameters = process.Methods_["Create"].InParameters.SpawnInstance_;
createParameters.CommandLine = "cmd.exe";
wmiService.ExecMethod("Win32_Process", "Create", createParameters);
Silverlight 4 will have support for something like this: http://timheuer.com/blog/archive/2010/03/15/whats-new-in-silverlight-4-rc-mix10.aspx#sllauncher

Resources