Security concerns

0 views
Skip to first unread message

Petrhaus

unread,
Feb 5, 2010, 9:17:51 AM2/5/10
to Spark View Engine Dev
Hi all,
I'm currently developing a website requiring end-users r/w access to
views for customization.
My concerns are all about security because I would like to limit (or
maybe totally disable) inline csharp code (#) and assembly/namespace
loading and import (System.IO in primis).
Are there any ways to do this? Is some special configuration parameter
going to appear sometime to help in this?

Thanks in advance.
Petrhaus.

Louis DeJardin

unread,
Feb 5, 2010, 2:32:19 PM2/5/10
to Spark View Engine Dev
A custom build is always an option - this might be a matter for adding
an additional node visitor in the engine's processing stage.

Although that could prevent some of the obvious attacks, I don't think
you'll ever be able to say all possible ways of reversing code back
into the output have been eliminated. When it comes right down to it
that sounds like a matter of creating an interpreted pseudo-language
to use in your views instead of csharp.

Not that it's practical to do that. :) Just saying once you allow
users to edit web app files anything in-between is a compromise that's
not provably secure.

Reply all
Reply to author
Forward
0 new messages