[Mono-bugs] [Bug 694304] New: Appdomain not handled correctly for limiting code execution

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Tue May 17 10:41:54 EDT 2011



           Summary: Appdomain not handled correctly for limiting code
    Classification: Mono
           Product: Mono: Runtime
           Version: 2.10.x
          Platform: x86-64
        OS/Version: Mac OS X 10.6
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: remoting
        AssignedTo: lluis at novell.com
        ReportedBy: andres.meyer at computer.org
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---

Created an attachment (id=429986)
 --> (http://bugzilla.novell.com/attachment.cgi?id=429986)
test program

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us)
AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1

When running the attached example in 2.10.1, an ironpython script can actually
open a file on the system, even though the appdomain should prohibit it. in
2.10.2, a System.Reflection.MonoCMethod SerializationException is thrown, but
not a Security exception.

Reproducible: Always

Steps to Reproduce:
1. compile the attached program for .net 3.5 (get ironpython 2.6)
2. create a test file /tmp/test.txt
3. run the program
Actual Results:  
in 2.10.1, the program gets executed and returns the contents of the file. This
should not be possible as the security should not allow this. In 2.10.2, a
serialization error gets thrown, but no security exception

Expected Results:  
In windows .net a security exception is thrown

Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list