[Mono-dev] Possible security issue with Mono's dllmaps in etc/config

Paolo Molaro lupus at ximian.com
Mon Jan 8 10:48:25 EST 2007


On 01/08/07 Marek Habersack wrote:
> <dllmap dll="libxslt.dll" target="libxslt.so" os="!windows"/>
> <dllmap dll="libmySQL.dll" target="libmysqlclient.so" os="!windows" />
> <dllmap dll="odbc32.dll" target="libodbc.so" os="!windows"/>
> 
> we may encounter two issues. First (not security related, just usage
> annoyance) is that on some Linux distributions the lib*.so file won't
> exist unless there are devel packages installed for the library in
> question. So unless the mono library mapper automatically appends the

The people that implemented the dllimport methods that use the above
libraries should fix the config dllmap entries to use the proper valid
soname of the ABI they programmed against. Or they should make sure
to deal with any needed ABI change and check in the code. There is no
need to change anything in the runtime code to fix this, just get the
lazy people to specify the soname/ABI they used.

In the future we'll allow listing multiple targets so if the dllimport
code can handle multiple versions, the dllmap code will try all the
possible targets until one loads:

	<dllmap dll="libmySQL.dll" target="libmysqlclient.so.10" os="!windows" />
	<dllmap dll="libmySQL.dll" target="libmysqlclient.so.12" os="!windows" />

with later entries overriding earlier ones as it is now.
There won't be any support for soname specifications as you suggested,
becaue it's not portable, ordered or reliable.

lupus

-- 
-----------------------------------------------------------------
lupus at debian.org                                     debian/rules
lupus at ximian.com                             Monkeys do it better



More information about the Mono-devel-list mailing list