I have a Silverlight 4 application running inside the browser without elevated permission and in it I have an upload files functionality section where an OpenFileDialog window appear and you can select the files you want to upload and save the files into the database.
The problem is that the application can actually Access files outside the user’s profile folders which is not allowed by the silverlight security policy.
private Asset ReadAsset(FileInfo fileInfo)
{
byte[] fileBuffer;
using (FileStream fileStream = fileInfo.OpenRead()) //This line works from any location
{
using (BinaryReader binaryReader = new BinaryReader(fileStream))
{
fileBuffer = binaryReader.ReadBytes((int)fileStream.Length);
binaryReader.Close();
}
fileStream.Close();
}
DirectoryInfo di = fileInfo.Directory; //This line doesn't work
}
This actually READ the files no matter the location (I could even read a file on system32 folder) and I have no means to get “My Documents” or “Documents” folder because even.
Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments);
Is not working. So in short. I can read the bytes from any file on any location which silverlight apps running on browsers are not suppose to do.
Any help will be appreciated.
I think what you seem to be concerned about is that via
OpenFileDialogany file can be read regardless of its location in the client file system.This fine and normal. The OOB with trust restrictions only apply to unsolicited access. That is access to the file system without direct and explicit interaction by the user.
In the case of
OpenFileDialogthe user has explicit specified what file(s) to select and users are free to select any files they wish. This is true even for an standard inbrowser app.