[Mono-bugs] [Bug 71861][Wis] New - Behaviour of SecurityException after an Exception is thrown

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Thu, 27 Jan 2005 11:24:29 -0500 (EST) 

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by sebastien@ximian.com.

http://bugzilla.ximian.com/show_bug.cgi?id=71861

--- shadow/71861	2005-01-27 11:24:29.000000000 -0500
+++ shadow/71861.tmp.15862	2005-01-27 11:24:29.000000000 -0500
@@ -0,0 +1,83 @@
+Bug#: 71861
+Product: Mono: Class Libraries
+Version: 1.1
+OS: All
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Wishlist
+Component: CORLIB
+AssignedTo: mono-bugs@ximian.com                            
+ReportedBy: sebastien@ximian.com               
+QAContact: mono-bugs@ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: Behaviour of SecurityException after an Exception is thrown
+
+Description of Problem:
+
+Microsoft runtime throws a SecurityException when an Exception is created
+and one of it's method/property fails a security check (so far so good).
+
+However once the exception is thrown, the same failure re-throw the initial
+exception (i.e. it doesn't throw the SecurityException).
+
+Mono, when used with --security, always throw a SecurityException.
+
+
+Steps to reproduce the problem:
+1. The following block throws a FileLoadException
+
+try {
+
+	throw new FileLoadException ("message", "filename",
+
+		new FileLoadException ("inner message", "inner filename"));
+
+}
+
+catch (FileLoadException fle) {
+
+	Assert.IsNull (fle.FusionLog, "FusionLog");
+
+}
+
+
+2. In the catch block we try to access to FusionLog. A security demand is
+done (requires both ControlEvidence and ControlPolicy). If it fails then
+the FileLoadException is rethrown (i.e. it doesn't throw a SecurityException).
+
+
+Actual Results:
+SecurityException is thrown
+
+
+Expected Results:
+FileLoadException (original)
+
+
+How often does this happen? 
+Always
+
+
+Additional Information:
+
+* This was found when trying to protect the FusionLog but the same pattern
+is probably used everywhere,
+	* System.BadImageFormatException.get_FusionLog
+	* System.IO.FileLoadException.get_FusionLog
+	* System.IO.FileNotFoundException.get_FusionLog
+
+* There may be a way to deal with this in the runtime (or else declarative
+security would be ineffective in this case). The other alternative is to :
+
+	* use an imperative security demand;
+	* catch a SecurityException
+	* rethrow the original exception (e.g. throw this)
+
+	but this has to be done everywhere a secuirty check is needed.
+
+* Personally and at this point of time I don't think it's worth
+implementing. But I'm leaving it assigned to me so I don't forget about it.