mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
3.6 KiB
86 lines
3.6 KiB
/*****************************************************************************\
|
|
FILE: autosecurity.h
|
|
|
|
DESCRIPTION:
|
|
Helpers functions to check if an Automation interface or ActiveX Control
|
|
is hosted or used by a safe caller.
|
|
|
|
BryanSt 8/20/1999
|
|
Copyright (C) Microsoft Corp 1999-1999. All rights reserved.
|
|
\*****************************************************************************/
|
|
|
|
#ifndef _AUTOMATION_SECURITY_H_
|
|
#define _AUTOMATION_SECURITY_H_
|
|
|
|
#include <ocidl.h> // IObjectWithSite
|
|
#include <shlwapip.h> // IUnknown_AtomicRelease
|
|
#include <ccstock.h> // ATOMICRELEASE
|
|
|
|
#include <mshtml.h>
|
|
#include <cowsite.h> // CObjectWithSite
|
|
#include <objsafe.h> // IObjectSafety
|
|
#include <cobjsafe.h> // CObjectSafety
|
|
|
|
|
|
/***************************************************************\
|
|
DESCRIPTION:
|
|
This class will provide standard security functions that
|
|
most ActiveX Controls or scriptable COM objects need.
|
|
|
|
HOW TO USE THIS CLASS:
|
|
1. If you don't want any security, don't implement this
|
|
interface and don't implement IObjectSafety. This should
|
|
prevent your class from being used from any unsafe hosts.
|
|
2. Create a list of any of your automation methods and actions
|
|
invoked from your ActiveX Control's UI that can harm the user.
|
|
3. For each of those methods/actions, decide if:
|
|
A) It's only safe from hosts that are always safe (like HTA)
|
|
B) It's only safe from hosts if their content is from
|
|
a safe zone (Local Zone/Local Machine).
|
|
C) If an UrlAction needs to be checked before the operation
|
|
can be carried out.
|
|
4. Based on #3, use IsSafeHost(), IsHostLocalZone(),
|
|
or IsUrlActionAllowed() respectively.
|
|
5. Call MakeObjectSafe on any object you create unless you
|
|
can GUARANTEE that it will be IMPOSSIBLE for an unsafe
|
|
caller to use it directly or indirectly to do something
|
|
unsafe.
|
|
|
|
An example of a direct case is a collection object
|
|
creating an item object and then returning it to the unsafe
|
|
host. Since the host didn't create the object, it didn't
|
|
get a chance to correctly use IObjectSafety, so
|
|
MakeObjectSafe() is needed.
|
|
|
|
An example of an indirect case is where unsafe code calls
|
|
one of your automation methods and you decide to carry out
|
|
the action. If you create a helper object to perform a task
|
|
and you can't guarantee that it will be safe, you need to
|
|
call MakeObjectSafe on that object so it can decide
|
|
internally if it's safe.
|
|
|
|
WARNING: If MakeObjectSafe returns a FAILED(hr),
|
|
then ppunk will be FREED because it isn't safe to use.
|
|
\***************************************************************/
|
|
#define CAS_NONE 0x00000000 // None
|
|
#define CAS_REG_VALIDATION 0x00000001 // Verify the host HTML is registered
|
|
#define CAS_PROMPT_USER 0x00000002 // If the HTML isn't registered, prompt the user if they want to use it anyway.
|
|
|
|
class CAutomationSecurity : public CObjectWithSite
|
|
, public CObjectSafety
|
|
{
|
|
public:
|
|
//////////////////////////////////////////////////////
|
|
// Public Methods
|
|
//////////////////////////////////////////////////////
|
|
BOOL IsSafeHost(OUT OPTIONAL HRESULT * phr);
|
|
BOOL IsHostLocalZone(IN DWORD dwFlags, OUT OPTIONAL HRESULT * phr);
|
|
BOOL IsUrlActionAllowed(IN IInternetHostSecurityManager * pihsm, IN DWORD dwUrlAction, IN DWORD dwFlags, OUT OPTIONAL HRESULT * phr);
|
|
|
|
HRESULT MakeObjectSafe(IN OUT IUnknown ** ppunk);
|
|
};
|
|
|
|
|
|
#endif // _AUTOMATION_SECURITY_H_
|
|
|
|
|