[prev in list] [next in list] [prev in thread] [next in thread]
List: log4net-dev
Subject: Re: [Fwd: Re: There seems an easy fix for loading custom classes.
From: "Alexey N. Solofnenko" <A.Solofnenko () mdl ! com>
Date: 2004-02-23 15:23:09
Message-ID: 403A1ADD.4020708 () mdl ! com
[Download RAW message or body]
Thank you a lot!
- Alexey.
Nicko Cadell wrote:
>Alexey,
>
>I will add your enhancement. I think that the risk can be mitigated by
>education (i.e. documenting that an assembly qualified type name is
>preferred, especially for production environments) and also by attempting to
>lookup the type in the relativeAssembly assembly first (as you have done). I
>will also add an internal log message to indicate which assembly the type
>was loaded from.
>
>Nicko
>
>
>
>>-----Original Message-----
>>From: Alexey N. Solofnenko [mailto:A.Solofnenko@mdl.com]
>>Sent: 22 February 2004 23:25
>>To: Log4NET Dev
>>Subject: Re: [Fwd: Re: There seems an easy fix for loading
>>custom classes. What do you think?]
>>
>> It is an unnecessary hassle to require full assembly names
>>in a logger configuration file. At least it would require us
>>to change those files for every build.
>>
>> Unless there is a special security requirement, I do not
>>think the code makes the situation worse. Default behaviour
>>is preserved and additional behaviour is introduced when
>>default behaviour does not work.
>>If you still believe it is too risky, could you please add a
>>callback interface, so the behaviour could be controlled from outside?
>>
>>- Alexey.
>>
>>Nicko Cadell wrote:
>>
>>
>>
>>>Alexey,
>>>
>>>I'm not sure what issue you are having with loading custom
>>>
>>>
>>classes that
>>
>>
>>>requires this change?
>>>
>>>I would not call this a 'fix' because loading custom classes
>>>
>>>
>>works fine
>>
>>
>>>if you specify an assembly qualified type name. This could be an
>>>enhancement that means you don't need to specify the fully
>>>
>>>
>>qualified type name.
>>
>>
>>>When a type name is specified that is not assembly qualified
>>>
>>>
>>we could
>>
>>
>>>add this code to look in all the loaded assemblies for a
>>>
>>>
>>type with that name.
>>
>>
>>>Consider the following questions:
>>>
>>>Does this impose additional security requirements? i.e. do
>>>
>>>
>>we need more
>>
>>
>>>privileges to call AppDomain.CurrentDomain.GetAssemblies()
>>>
>>>
>>than to call
>>
>>
>>>Assembly.GetType()? Especially when the assembly being
>>>
>>>
>>reflected is the
>>
>>
>>>calling assembly.
>>>
>>>Does this code introduce non-deterministic type binding? What if the
>>>same type exists in more than one of the loaded assemblies? Does
>>>AppDomain.CurrentDomain.GetAssemblies() always return the
>>>
>>>
>>assemblies in
>>
>>
>>>the same order? Is this a security weakness? Could an attacker add a
>>>new assembly that substitute a different custom class?
>>>
>>>
>>(probably not with CAS).
>>
>>
>>>Will the custom class be loaded into the AppDomain when log4net is
>>>configured? It is best practice to configure log4net as early as
>>>possible in the process execution. Additional assemblies will not be
>>>loaded into the AppDomain until a Type from the assembly is
>>>
>>>
>>referenced,
>>
>>
>>>therefore they probably will not have been loaded at the
>>>
>>>
>>time log4net
>>
>>
>>>is configured, also this is a JIT implementation detail that
>>>
>>>
>>may change
>>
>>
>>>unpredictably in future versions of the runtime.
>>>
>>>Cheers,
>>>
>>>Nicko
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Alexey N. Solofnenko [mailto:A.Solofnenko@mdl.com]
>>>>Sent: 20 February 2004 21:26
>>>>To: log4net-dev@logging.apache.org
>>>>Subject: [Fwd: Re: There seems an easy fix for loading
>>>>
>>>>
>>custom classes.
>>
>>
>>>>What do you think?]
>>>>
>>>>I should have sent it to a dev list.
>>>>
>>>>- Alexey.
>>>>
>>>>-------- Original Message --------
>>>>Subject: Re: There seems an easy fix for loading custom
>>>>classes. What do you think?
>>>>Date: Fri, 20 Feb 2004 10:33:34 -0800
>>>>From: Alexey N. Solofnenko <A.Solofnenko@mdli.com>
>>>><mailto:A.Solofnenko@mdli.com>
>>>>Reply-To: Log4NET User <log4net-user@logging.apache.org>
>>>><mailto:log4net-user@logging.apache.org>
>>>>To: Log4NET User <log4net-user@logging.apache.org>
>>>><mailto:log4net-user@logging.apache.org>
>>>>References: <40365148.8030701@mdl.com>
>>>><mailto:40365148.8030701@mdl.com>
>>>>
>>>>
>>>>Sorry, the additional code should pass "false" instead of
>>>>throwOnError.
>>>>
>>>> Type type=relativeAssembly.GetType(typeName, false,
>>>>ignoreCase);
>>>> if (type!=null) return type;
>>>> foreach (Assembly assembly in
>>>>AppDomain.CurrentDomain.GetAssemblies()) {
>>>> type=assembly.GetType(typeName, false, ignoreCase);
>>>> if (type!=null) return type;
>>>> }
>>>> if (throwOnError) throw new TypeLoadException("Type
>>>>'"+typeName+"' cannot be found");
>>>> else return null;
>>>>
>>>>- Alexey.
>>>>
>>>>Alexey N. Solofnenko wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I have tried the following code in
>>>>SystemInfo.getTypeFromString() and it works well on my computer.
>>>>Instead of looking for a class in just relativeAssembly, all loaded
>>>>assemblies are searched for the class. Do you think log4net can be
>>>>updated to do the same?
>>>>
>>>> Sincerely,
>>>> Alexey Solofnenko.
>>>>
>>>>
>>>> public static Type GetTypeFromString(Assembly
>>>>relativeAssembly, string typeName, bool throwOnError, bool
>>>>
>>>>
>>ignoreCase)
>>
>>
>>>> {
>>>> // Check if the type name specifies the
>>>>
>>>>
>>assembly name
>>
>>
>>>> if(typeName.IndexOf(',') == -1)
>>>> {
>>>> //LogLog.Debug("SystemInfo: Loading type
>>>>["+typeName+"] from assembly ["+relativeAssembly.FullName+"]");
>>>> #if NETCF
>>>> return
>>>>relativeAssembly.GetType(typeName, throwOnError);
>>>> #else
>>>> Type
>>>>type=relativeAssembly.GetType(typeName, throwOnError, ignoreCase);
>>>> if (type!=null) return type;
>>>> foreach (Assembly assembly in
>>>>AppDomain.CurrentDomain.GetAssemblies()) {
>>>> type=assembly.GetType(typeName, false, ignoreCase);
>>>> if (type!=null) return type;
>>>> }
>>>> if (throwOnError) throw new
>>>>TypeLoadException("Type '"+typeName+"' cannot be found");
>>>> else return null;
>>>> #endif
>>>> }
>>>> else
>>>> {
>>>> // Includes assembly name
>>>> //LogLog.Debug("SystemInfo: Loading type
>>>>["+typeName+"] from global Type");
>>>> #if NETCF
>>>> return Type.GetType(typeName, throwOnError);
>>>> #else
>>>> return Type.GetType(typeName, throwOnError,
>>>>ignoreCase);
>>>> #endif
>>>> }
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic