TFS Event Handler for Visual Studio 2008

Closed

Security issues on uploaded assemblies

description

This issue applies to the security restrictions for assemblies that are uploaded and executed.

Raised by: John Lambert - http://forums.microsoft.com/MSDN/showpost.aspx?postid=1542164&siteid=1
"This isn't a good idea in general: ...it's a security issue to execute code from third-parties: imagine if the constructor calls File.Delete("C:\boot.ini")."

Potential solutions:

Run code under user provided credentials.
Require that all assemblies be signed by key provided on request to specific users.

Closed Jan 24, 2008 at 7:13 PM by hinshelmw

The result is that in reality this is not for use for public TFS servers. As administrators will have control over the service, and can make the Event Handler service run under a specific account the problem is mute...

comments

work item details

Item number:	138
User comments:	0
Status:	Closed
Reason Closed:	Unassigned
Type:	Issue
Impact:	High
Release:	Unassigned
Assigned to:	Unassigned
Component:
Reported on: Reported by:	May 2, 2007 at 9:09 AM hinshelmw
Updated on: Updated by:	May 16 at 4:36 AM hinshelmw
Closed on: Closed by:	Jan 24, 2008 at 7:13 PM hinshelmw n/a

Keyboard shortcuts are available for this page.

Updating...

TFS Event Handler for Visual Studio 2008

Security issues on uploaded assemblies

description

file attachments

comments

work item details

Updating...

TFS Event Handler for Visual Studio 2008

Woops...X

Are you sure?X

Security issues on uploaded assemblies

description

file attachments

comments

work item details