I've recently been looking a lot into Silverlight and into how tomorrow's business applications might look like. In this process, I've come across a well known limitation of Silverlight 4's out-of-browser support: Even in elevated scenarios, the application can only access files in the "My *"-Folders (My Documents, etc.). This struck me as rather odd as - at the same time - full COM access is possible.
The reason this struck me as odd is that one could easily use a COM component to perform the work:
public static void WriteToFile(byte[] buffer, string fileName)
{
if (!(App.Current.IsRunningOutOfBrowser && ComAutomationFactory.IsAvailable))
{
throw new Exception("This functionality only works OOB with elevated permissions");
}
string tmpFile = null;
do
{
Guid id = Guid.NewGuid();
tmpFile = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\" + id;
} while (File.Exists(tmpFile));
using (Stream st = File.Create(tmpFile))
{
st.Write(buffer, 0, buffer.Length);
}
dynamic fso = ComAutomationFactory.CreateObject("Scripting.FileSystemObject");
dynamic file = fso.GetFile(tmpFile);
file.Copy(fileName);
File.Delete(tmpFile);
}
Please note that this is not a security vulnerability: it's just how COM has worked forever. I would just like to ask for the removal of the "My *"-folder limitation as it doesn't really increase security, but makes ugly workarounds like the one presented above necessary.
Oh, so that's why. Thanks for the update. Removing My Folders now.
Posted by: ventrillo servers | 03/02/2010 at 02:48 PM