/// <summary>
/// Default constructor for an Effect.
/// </summary>
protected Effect()
{
// Effects are never allowed in partial trust scenarios. So demand
// UIWindow permission immediately in the ctor and get it
// over with.
SecurityHelper.DemandUIWindowPermission();
}
public ReadOnlyCollection <GestureRecognitionResult> Recognize(StrokeCollection strokes)
{
//
// due to possible exploits in the Tablet PC Gesture recognizer's Recognize method,
// we demand unmanaged code.
//
SecurityHelper.DemandUnmanagedCode();
return(RecognizeImpl(strokes));
}
private static void DemandSecurityPermissionIfCustomPackage(Package package)
{
// Although ZipPackage is sealed and cannot be subclassed, we shouldn't depend on
// the "sealedness" of ZipPackage. Checking the object type is more reliable way
// than using "as" or "is" operator.
if (package != null && package.GetType() != typeof(ZipPackage))
{
SecurityHelper.DemandEnvironmentPermission();
}
}
internal static void SafeLaunchBrowserDemandWhenUnsafe(Uri originatingUri, Uri destinationUri, bool fIsTopLevel)
{
LaunchResult launched = LaunchResult.NotLaunched;
launched = SafeLaunchBrowserOnlyIfPossible(originatingUri, destinationUri, fIsTopLevel);
if (launched == LaunchResult.NotLaunched)
{
SecurityHelper.DemandUnmanagedCode();
UnsafeLaunchBrowser(destinationUri);
}
}
private void LoadFromFile(string fileName)
{
SecurityHelper.DemandFileIOReadPermission(fileName);
// Load a Custom Cursor
_cursorHandle = UnsafeNativeMethods.LoadImageCursor(IntPtr.Zero,
fileName,
NativeMethods.IMAGE_CURSOR,
0, 0,
NativeMethods.LR_DEFAULTCOLOR |
NativeMethods.LR_LOADFROMFILE |
(_scaleWithDpi? NativeMethods.LR_DEFAULTSIZE : 0x0000));
int errorCode = Marshal.GetLastWin32Error();
if (_cursorHandle == null || _cursorHandle.IsInvalid)
{
// Note: chandras 02/02/2005
// Bug # 1016022: LoadImage returns a null handle but does not set
// the error condition when icon file is of an incorrect type (e.g., .bmp)
//
// LoadImage has a bug where it doesn't set the correct error code
// when a file is given that is not an ico file. Icon load fails
// but win32 error code is still zero (success). Thus, we need to
// special case this scenario.
//
if (errorCode != 0)
{
if ((errorCode == NativeMethods.ERROR_FILE_NOT_FOUND) || (errorCode == NativeMethods.ERROR_PATH_NOT_FOUND))
{
throw new Win32Exception(errorCode, SR.Get(SRID.Cursor_LoadImageFailure, fileName));
}
else
{
throw new Win32Exception(errorCode);
}
}
else
{
throw new ArgumentException(SR.Get(SRID.Cursor_LoadImageFailure, fileName));
}
}
}
private void LoadFromFile(string fileName)
{
SecurityHelper.DemandFileIOReadPermission(fileName);
// Load a Custom Cursor
_cursorHandle = UnsafeNativeMethods.LoadImageCursor(IntPtr.Zero,
fileName,
NativeMethods.IMAGE_CURSOR,
0, 0,
NativeMethods.LR_DEFAULTCOLOR |
NativeMethods.LR_LOADFROMFILE |
(_scaleWithDpi? NativeMethods.LR_DEFAULTSIZE : 0x0000));
int errorCode = Marshal.GetLastWin32Error();
if (_cursorHandle == null || _cursorHandle.IsInvalid)
{
// Note: chandras 02/02/2005
//
if (errorCode != 0)
{
if ((errorCode == NativeMethods.ERROR_FILE_NOT_FOUND) || (errorCode == NativeMethods.ERROR_PATH_NOT_FOUND))
{
throw new Win32Exception(errorCode, SR.Get(SRID.Cursor_LoadImageFailure, fileName));
}
else
{
throw new Win32Exception(errorCode);
}
}
else
{
throw new ArgumentException(SR.Get(SRID.Cursor_LoadImageFailure, fileName));
}
}
}
protected override void UpdateUnmanagedPropertyState(SafeHandle unmanagedEffect)
{
SecurityHelper.DemandUIWindowPermission();
}
public static DataFormat GetDataFormat(string format)
{
if (format == null)
{
throw new ArgumentNullException("format");
}
if (format == string.Empty)
{
throw new ArgumentException(SR.Get(SRID.DataObject_EmptyFormatNotAllowed));
}
// Ensures the predefined Win32 data formats into our format list.
EnsurePredefined();
// Lock the data format list to obtains the mutual-exclusion.
lock (_formatListlock)
{
int formatId;
int index;
// It is much faster to do a case sensitive search here. So do
// the case sensitive compare first, then the expensive one.
//
for (int n = 0; n < _formatList.Count; n++)
{
DataFormat formatItem;
formatItem = (DataFormat)_formatList[n];
if (formatItem.Name.Equals(format))
{
return(formatItem);
}
}
for (int n = 0; n < _formatList.Count; n++)
{
DataFormat formatItem;
formatItem = (DataFormat)_formatList[n];
if (String.Compare(formatItem.Name, format, StringComparison.OrdinalIgnoreCase) == 0)
{
return(formatItem);
}
}
// In the most cases the default formats return earlier. If we got here
// then this is an attempt to register a new format which is not ok in partial trust.
SecurityHelper.DemandUnmanagedCode();
// Reigster the this format string.
formatId = UnsafeNativeMethods.RegisterClipboardFormat(format);
if (formatId == 0)
{
throw new System.ComponentModel.Win32Exception();
}
index = _formatList.Add(new DataFormat(format, formatId));
return((DataFormat)_formatList[index]);
}
}
private static LaunchResult CanNavigateToUrlWithZoneCheck(Uri originatingUri, Uri destinationUri)
{
LaunchResult launchResult = LaunchResult.NotLaunched; // fail securely - assume this is the default.
int targetZone = NativeMethods.URLZONE_LOCAL_MACHINE; // fail securely this is the most priveleged zone
int sourceZone = NativeMethods.URLZONE_INTERNET; // fail securely this is the least priveleged zone.
bool fEnabled = true;
EnsureSecurityManager();
// is this feature enabled ?
fEnabled = UnsafeNativeMethods.CoInternetIsFeatureEnabled(
NativeMethods.FEATURE_ZONE_ELEVATION,
NativeMethods.GET_FEATURE_FROM_PROCESS) != NativeMethods.S_FALSE;
targetZone = MapUrlToZone(destinationUri);
// Get source zone.
// Initialize sourceUri to null so that source zone defaults to the least privileged zone.
Uri sourceUri = null;
// If the MimeType is not a container, attempt to find sourceUri.
// sourceUri should be null for Container cases, since it always assumes
// the least privileged zone (InternetZone).
if (Application.Current.MimeType != MimeType.Document)
{
sourceUri = BrowserInteropHelper.Source;
}
else if (destinationUri.IsFile &&
System.IO.Path.GetExtension(destinationUri.LocalPath)
.Equals(DocumentStream.XpsFileExtension, StringComparison.OrdinalIgnoreCase))
{
// In this case we know the following:
// 1) We are currently a Container
// 2) The destination is a File and another Container
// In this case we want to treat the destination as internet too so Container
// can navigate to other Containers by passing zone checks
targetZone = NativeMethods.URLZONE_INTERNET;
}
if (sourceUri != null)
{
sourceZone = MapUrlToZone(sourceUri);
}
else
{
// 2 potential ways to get here.
// a) We aren't a fusion hosted app. Assume full-trust.
// b) Some
bool fTrusted = SecurityHelper.CheckUnmanagedCodePermission();
if (fTrusted)
{
return(LaunchResult.Launched);
}
else
{
//
// If we didn't get a SourceUri, we'll assume internet zone.
// And use Source for the uri of origin.
//
// This isn't quite right - but the sourceUri is only used to show a message to the user.
// Worse case is confusing user experience. ( this uri is not used in the elevation determination).
//
sourceZone = NativeMethods.URLZONE_INTERNET;
sourceUri = originatingUri;
}
}
// <Notes from Trident>
// ------------------------------
// Check if there is a zone elevation.
// Custom zones would have a higher value that URLZONE_UNTRUSTED, so this solution isn't quite complete.
// However, we don't know of any product actively using custom zones, so rolling this out.
// INTRANET and TRUSTED are treated as equals.
// ------------------------------
// </Notes from Trident>
//
// Note the negative logic - it first sees to see something is *not* a zone elevation.
//
if (
// Even if feature is disabled.
// We still block navigation to local machine.
// IF source zone is internet or restricted.
(!fEnabled &&
((sourceZone != NativeMethods.URLZONE_INTERNET &&
sourceZone != NativeMethods.URLZONE_UNTRUSTED) ||
targetZone != NativeMethods.URLZONE_LOCAL_MACHINE)) ||
// If feature is enabled
// It's not a zone elevation if
// the zones are equal OR
// the zones are both less than restricted and
// the sourceZone is more trusted than Target OR
// sourceZone and TargetZone are both Intranet or Trusted
//
// per aganjam - Intranet and Trusted are treated as equivalent
// as it was a common scenario for IE. ( website on intranet points to trusted site).
//
(fEnabled &&
(
sourceZone == targetZone ||
(
sourceZone <= NativeMethods.URLZONE_UNTRUSTED &&
targetZone <= NativeMethods.URLZONE_UNTRUSTED &&
(
sourceZone < targetZone ||
(
(sourceZone == NativeMethods.URLZONE_TRUSTED || sourceZone == NativeMethods.URLZONE_INTRANET) &&
(targetZone == NativeMethods.URLZONE_TRUSTED || targetZone == NativeMethods.URLZONE_INTRANET)
)
)
)
)))
{
// There is no zone elevation. You can launch away !
return(LaunchResult.Launched);
}
launchResult = CheckBlockNavigation(sourceUri,
destinationUri,
fEnabled);
return(launchResult);
}
public static Cursor Create(SafeHandle cursorHandle)
{
SecurityHelper.DemandUIWindowPermission();
return(CriticalCreate(cursorHandle));
}
