Relative URL Membership Conditions

Caspol will allow you to setup a URL membership condition with a relative URL by using a command such as:

caspol -ag 1. -url Foo.dll Internet -exclusive on

This command probably doesn't do exactly what you would expect though.  Namely, it does not resolve the location of foo.dll when you run the command and store that location in policy.  Instead, it will add a relative membership condition to your security policy, which will be resolved against whatever the current working directory of the process happens to be when policy is evaluated.

If you were using this command to reduce the permissions granted to an assembly, this could be a pretty big problem since you might not notice the relative URL failing to resolve at runtime.  In that case, the assembly you tried to reduce the permissions of would end up running with more trust than expected.

Incidentally, the same issue occurs if policy is being modified programmatically via the UrlMembershipCondition class.  ... However, since this type of membership condition does not behave as you would expect (and doesn't really make much sense to begin with), I wouldn't be entirely surprised if attempting to set up a relative URL membership condition was an error in a future release of the framework.

Comments (0)

Skip to main content