security - Drag/Drop between medium/high integrity level processes in Windows Vista -

-

In Windows Vista, I am unable to drag / drop files on the window of my application because it is running as a process of high integrity level I

. I need to run it as high, but I should be able to accept files left with low / medium integrity-level processes like Windows Explorer. I believe this is a UII that is blocking the drag / drop operation. I know that I can use the ChangeWebFilter function to allow some Windows messages to bypass the UIPI, but I'm not sure which message to add to the drag / drop operation. I want to changeWindowMessage Filter the right approach to allow, or is there a better way? Thanks!

Considering the title of this blog entry:
"", I think it The best way is not;)

Now, it may seem like a great approach to the first - after all, you'll only use ChangeWindowMessageFilter when you are sure That you can fully validate a received message even if it is from an unreliable source, there is no way that someone is wrong, right?

The problem is that if you do this, then you are often opening your program to attack you unknowingly .
For a window, consider how custom window messages are commonly used; Virtually all general controls in the custom class message category (such as WM_USER and friends) have "dangerous" messages.

In addition to this, many programs and third-party libraries have confused WM_USER and WM_APP , so you can cross-process both the notation Through "Code"> WM_USER and WM_APP , you can use to communicate through "dangerous" messages or include pointer parameters.

In the comments of this blog entry, an alternative approach was discussed, but with the very same conclusion:

I < Code> RegisterWindowMessage and then allow it through the ChangeWindowMessageFilter . However, keep in mind that you can not design cross-process window messaging interface which passes points or other unreliable values ​​or you are creating a security hole.

For this reason, I would have to avoid using the window at all, for the most cross-process IPC (if possible) ssages, because generally non-trivial things are protected by them. Very difficult to do in the form.

Note: This entry indicates the same problem, and indicates practical articles of Raymond Chen:

For both extensions of this issue, this server-level question includes some answers, but no quick-wins.

See also


Comments

Post a Comment

Popular posts from this blog

c# - ListView onScroll event -

-
I am programming a simple C # application, and I need a Scallow event on the list view. So I inherited the original ListView class created in ListviewEx witch. I found out how to locate the scroll message from WinAPI and I modified the WndProc method. Now I have this WndProc: protected override zero WndProc (Ref message message) {base.WndProc (Ref I); If (m.msg == WM_VSCROLL) {onScroll (This, New EventArgs ()); }} But the problem is, I do not know how to know about scrolling information. This data should be in wParam, but there is a LOWORD macro ++ like in C in C # and I switch to find the criteria like SB_ below, SB_ENDSCROLL, SB_PAGEUP etc. there any way Need to change the LOWORD macro from C #? Or any other way to find the necessary parameters about scrolling? You can define the WParam constants as the following: Private const int WM_HSCROLL = 0x114; Private Constant WM_VSCROLL = 0x115; Private contact int SBHOZZ = 0; Private Consultant SB_VERT = 1; Private Con...
Read more

PHP - get image from byte array -

-
I am trying to create a back-end for my mobile application. I am sending the content of an image in the body of the HTTP request (output stream) as a byte array, I want to read this stream of bytes in PHP scripts and take back an image. Can anyone tell me how can I do this? Thank you. You can obtain the request body $ body = Reading from file_get_contents ('php: // input'); What you do with that data Depending on you, you can write the data in a file as you mentioned that this is image data, you can drop the data into the object can do. Another option is to use and load the image.
Read more

Linux Terminal Problem with Non-Canonical Terminal I/O app -

-
I have a small app written in C to run on Linux. Part of the app accepts user-input from keyboard , And it uses non-canonical terminal mode so that it can respond to each keystroke. The section of the code that accepts input is a simple task that is called repeatedly in the loop: char get_input () {char C = 0; Int res = reading (input_tamille, & amp; c, 1); If (RSS == 0) 0 returns; If (res == -1) {/ * snip error handling * /} return c; } It reads a letter from the terminal if there is no input within a given time limit, (c_cc [VTIME] value in the vocabulary structure), read () 0 And get_input () is called again It all works very well, I have recently discovered that if you run this app in a terminal window, and then the app Close the terminal window without ending, the app will not exit Received, but CPU intensive launches into an infinite loop, where the read () returns 0 without waiting continued. So how can I get out of the apple if it runs from the terminal win...
Read more