private void AddControlToDescriptions(Control control, ArrayList descriptions)
{
WebPart webPart = control as WebPart;
if ((webPart == null) && !(control is LiteralControl))
{
// Fix for DesignMode
if (WebPartManager != null)
{
webPart = WebPartManager.CreateWebPart(control);
}
else
{
webPart = WebPartManager.CreateWebPartStatic(control);
}
}
// Fix for DesignMode
if (webPart != null && (WebPartManager == null || WebPartManager.IsAuthorized(webPart)))
{
WebPartDescription description = new WebPartDescription(webPart);
descriptions.Add(description);
}
}
private void CreateAvailableWebPartDescriptions()
{
if (_availableWebPartDescriptions != null)
{
return;
}
if (WebPartManager == null || String.IsNullOrEmpty(_importedPartDescription))
{
_availableWebPartDescriptions = new WebPartDescriptionCollection();
return;
}
// Run in minimal trust
PermissionSet pset = new PermissionSet(PermissionState.None);
// add in whatever perms are appropriate
pset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
pset.AddPermission(new AspNetHostingPermission(AspNetHostingPermissionLevel.Minimal));
pset.PermitOnly();
bool permitOnly = true;
string title = null;
string description = null;
string icon = null;
// Extra try-catch block to prevent elevation of privilege attack via exception filter
try {
try {
// Get the WebPart description from its saved XML description.
using (StringReader sr = new StringReader(_importedPartDescription)) {
using (XmlReader reader = XmlUtils.CreateXmlReader(sr)) {
if (reader != null)
{
reader.MoveToContent();
// Check if imported part is authorized
// Get to the metadata
reader.MoveToContent();
reader.ReadStartElement(WebPartManager.ExportRootElement);
reader.ReadStartElement(WebPartManager.ExportPartElement);
reader.ReadStartElement(WebPartManager.ExportMetaDataElement);
// Get the type name
string partTypeName = null;
string userControlTypeName = null;
while (reader.Name != WebPartManager.ExportTypeElement)
{
reader.Skip();
if (reader.EOF)
{
throw new EndOfStreamException();
}
}
if (reader.Name == WebPartManager.ExportTypeElement)
{
partTypeName = reader.GetAttribute(WebPartManager.ExportTypeNameAttribute);
userControlTypeName = reader.GetAttribute(WebPartManager.ExportUserControlSrcAttribute);
}
// If we are in shared scope, we are importing a shared WebPart
bool isShared = (WebPartManager.Personalization.Scope == PersonalizationScope.Shared);
if (!String.IsNullOrEmpty(partTypeName))
{
// Need medium trust to call BuildManager.GetType()
PermissionSet mediumPset = new PermissionSet(PermissionState.None);
mediumPset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
mediumPset.AddPermission(new AspNetHostingPermission(AspNetHostingPermissionLevel.Medium));
CodeAccessPermission.RevertPermitOnly();
permitOnly = false;
mediumPset.PermitOnly();
permitOnly = true;
Type partType = WebPartUtil.DeserializeType(partTypeName, true);
CodeAccessPermission.RevertPermitOnly();
permitOnly = false;
pset.PermitOnly();
permitOnly = true;
// First check if the type is authorized
if (!WebPartManager.IsAuthorized(partType, null, null, isShared))
{
_importErrorMessage = SR.GetString(SR.WebPartManager_ForbiddenType);
return;
}
// If the type is not a webpart, create a generic Web Part
if (!partType.IsSubclassOf(typeof(WebPart)) && !partType.IsSubclassOf(typeof(Control)))
{
// We only allow for Controls (VSWhidbey 428511)
_importErrorMessage = SR.GetString(SR.WebPartManager_TypeMustDeriveFromControl);
return;
}
}
else
{
// Check if the path is authorized
if (!WebPartManager.IsAuthorized(typeof(UserControl), userControlTypeName, null, isShared))
{
_importErrorMessage = SR.GetString(SR.WebPartManager_ForbiddenType);
return;
}
}
while (!reader.EOF)
{
while (!reader.EOF && !(reader.NodeType == XmlNodeType.Element &&
reader.Name == WebPartManager.ExportPropertyElement))
{
reader.Read();
}
if (reader.EOF)
{
break;
}
string name = reader.GetAttribute(WebPartManager.ExportPropertyNameAttribute);
if (name == TitlePropertyName)
{
title = reader.ReadElementString();
}
else if (name == DescriptionPropertyName)
{
description = reader.ReadElementString();
}
else if (name == IconPropertyName)
{
string url = reader.ReadElementString().Trim();
if (!CrossSiteScriptingValidation.IsDangerousUrl(url))
{
icon = url;
}
}
else
{
reader.Read();
continue;
}
if (title != null && description != null && icon != null)
{
break;
}
reader.Read();
}
}
}
if (String.IsNullOrEmpty(title))
{
title = SR.GetString(SR.Part_Untitled);
}
_availableWebPartDescriptions = new WebPartDescriptionCollection(
new WebPartDescription[] { new WebPartDescription(ImportedWebPartID, title, description, icon) });
}
}
catch (XmlException) {
_importErrorMessage = SR.GetString(SR.WebPartManager_ImportInvalidFormat);
return;
}
catch {
_importErrorMessage = (!String.IsNullOrEmpty(_importErrorMessage)) ?
_importErrorMessage :
SR.GetString(SR.WebPart_DefaultImportErrorMessage);
return;
}
finally {
if (permitOnly)
{
// revert if you're not just exiting the stack frame anyway
CodeAccessPermission.RevertPermitOnly();
}
}
}
catch {
throw;
}
}