This post originated from an RSS feed registered with .NET Buzz
by Chris Flaat.
Original Post: More thoughts on handling untrusted solutions/projects
Feed Title: Chris Flaat's Weblog
Feed URL: /msdnerror.htm?aspxerrorpath=/cflaat/Rss.aspx
Feed Description: I mainly discuss tips & tricks about VS 2002, VS 2003, and upcoming versions of VS.
A reader named Uri commented on my July 15th entry about safe handling of untrusted
solutions & projects. He brings up some good points which I thought worth
addressing.
One thing he mentions is that often one needs to grab a whole sample project at a
time and can't just grab snippests here & there. True enough, Uri, that's
sometimes the case. When it's most effective to grab a whole project, just be
sure that the source is someone you trust.
Another question Uri raises is whether one might be able to quarantine untrusted code
by putting it on another share to make it be in a less-trusted zone. This is
a great point, and there are indeed some things that are a bit safer when done in
this way. However, there are still many potential ways to get fried, and unfortunately
putting an untrusted solution/project on another share still doesn't really make it
safe to use.
Some things to note if you were to try loading a solution/project from another share:
On loading, the IDE will give you ominous warnings that things may not work correctly.
Custom build steps in C# projects, a new feature in VS 2003, generally won't
work, at least not that I found. In a sense this is good, because it means rogue
build steps wouldn't run, but it's also bad because any legitimate build step won't
happen either.
Despite the fact that C# custom build steps won't run, an evil project can still toast
you in other subtle ways as part of the build process.
In general, using a project from an intranet share won't protect you from mailicious
solutions/projects, and will furthermore interfere with legitimate ones, so I don't
really recommend this approach.
Previous Topic
