I've recently been looking a lot into Silverlight and into how tomorrow's business applications might look like. In this process, I've come across a well known limitation of Silverlight 4's out-of-browser support: Even in elevated scenarios, the application can only access files in the "My *"-Folders (My Documents, etc.). This struck me as rather odd as - at the same time - full COM access is possible.
The reason this struck me as odd is that one could easily use a COM component to perform the work:
public static void WriteToFile(byte[] buffer, string fileName)
{
if (!(App.Current.IsRunningOutOfBrowser && ComAutomationFactory.IsAvailable))
{
throw new Exception("This functionality only works OOB with elevated permissions");
}
string tmpFile = null;
do
{
Guid id = Guid.NewGuid();
tmpFile = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\" + id;
} while (File.Exists(tmpFile));
using (Stream st = File.Create(tmpFile))
{
st.Write(buffer, 0, buffer.Length);
}
dynamic fso = ComAutomationFactory.CreateObject("Scripting.FileSystemObject");
dynamic file = fso.GetFile(tmpFile);
file.Copy(fileName);
File.Delete(tmpFile);
}
Please note that this is not a security vulnerability: it's just how COM has worked forever. I would just like to ask for the removal of the "My *"-folder limitation as it doesn't really increase security, but makes ugly workarounds like the one presented above necessary.
Comments