1

Closed

Security Exception

description

I've been running template/MVC with no issues. Then this week I started receiving an exception when trying to access any compiled view. The site has been in medium trust (default for hosting), but moving to full trust fixed the issue. So I'm unsure if the issue is medium trust or some patch applied to the server that caused this. The host and I are both unsure of what this could be.

I did change my local version (using IIS Express) to <trust level="medium" /> and it ran with no problems, which confuses me more.

Version (NUGET)
<package id="RazorGenerator.Mvc" version="1.5.0.0" targetFramework="net40" />
<package id="RazorGenerator.Templating" version="1.5.2.0" targetFramework="net40" />

Any thoughts?

Exception from ELMAH
System.Security.SecurityException 
Request failed.

System.TypeInitializationException: The type initializer for 
'RazorGenerator.Mvc.PrecompiledMvcView' threw an exception. ---> 

System.MethodAccessException: Attempt by method
'RazorGenerator.Mvc.PrecompiledMvcView.CreateOverriddenLayoutSetterDelegate()' 
to access method 'System.Web.Mvc.WebViewPage.set_OverridenLayoutPath(System.String)' failed. ---> 

System.Security.SecurityException: Request failed.

   at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(RuntimeAssembly asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandleInternal rmh, SecurityAction action, Object demand, IPermission permThatFailed)
   at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Object assemblyOrString, PermissionSet granted, PermissionSet refused, RuntimeMethodHandleInternal rmh, SecurityAction action, Object demand, IPermission permThatFailed)
   at System.Security.CodeAccessSecurityEngine.CheckSetHelper(PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandleInternal rmh, Object assemblyOrString, SecurityAction action, Boolean throwException)
   at System.Security.PermissionSetTriple.CheckSetDemand(PermissionSet demandSet, PermissionSet& alteredDemandset, RuntimeMethodHandleInternal rmh)
   at System.Security.PermissionListSet.CheckSetDemand(PermissionSet pset, RuntimeMethodHandleInternal rmh)
   at System.Security.PermissionListSet.DemandFlagsOrGrantSet(Int32 flags, PermissionSet grantSet)
   at System.Security.CodeAccessSecurityEngine.ReflectionTargetDemandHelper(Int32 permission, PermissionSet targetGrant, CompressedStack securityContext)
   at System.Security.CodeAccessSecurityEngine.ReflectionTargetDemandHelper(Int32 permission, PermissionSet targetGrant)
   --- End of inner exception stack trace ---
   at System.Delegate.BindToMethodInfo(Object target, IRuntimeMethodInfo method, RuntimeType methodType, DelegateBindingFlags flags)
   at System.Delegate.CreateDelegate(Type type, MethodInfo method, Boolean throwOnBindFailure)
   at RazorGenerator.Mvc.PrecompiledMvcView.CreateOverriddenLayoutSetterDelegate()
   at RazorGenerator.Mvc.PrecompiledMvcView..cctor()
   --- End of inner exception stack trace ---
   at RazorGenerator.Mvc.PrecompiledMvcView..ctor(String virtualPath, String masterPath, Type type, Boolean runViewStartPages, IEnumerable`1 fileExtension)
   at RazorGenerator.Mvc.PrecompiledMvcEngine.CreateViewInternal(String viewPath, String masterPath, Boolean runViewStartPages)
   at RazorGenerator.Mvc.PrecompiledMvcEngine.CreateView(ControllerContext controllerContext, String viewPath, String masterPath)
   at System.Web.Mvc.VirtualPathProviderViewEngine.FindView(ControllerContext controllerContext, String viewName, String masterName, Boolean useCache)
   at System.Web.Mvc.ViewEngineCollection.<>c__DisplayClassc.<FindView>b__b(IViewEngine e)
   at System.Web.Mvc.ViewEngineCollection.Find(Func`2 lookup, Boolean trackSearchedPaths)
   at System.Web.Mvc.ViewEngineCollection.FindView(ControllerContext controllerContext, String viewName, String masterName)
   at System.Web.Mvc.ViewResult.FindView(ControllerContext context)
   at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult)
   at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1a.<InvokeActionResultWithFilters>b__17()
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
   at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1a.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19()
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
   at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1a.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19()
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<>c__DisplayClass2a.<BeginInvokeAction>b__20()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

comments

davidebbo wrote Feb 14, 2013 at 7:16 PM

Yes, unfortunately, we had to use reflection to make certain scenarios work (see the comment in this file, which pretty much means it can only run in full trust.

tbasallo wrote Feb 14, 2013 at 8:19 PM

OK.

Just to make sure I understood the code correctly, that exception would only be thrown if there is a layout set, right? If the layout was null (_masterPath) then the method wouldn't be called and no exception? Would that be accurate? I'm hoping you know off the top of your head, otherwise, I can test it.
if (!String.IsNullOrEmpty(_masterPath))
{
   _overriddenLayoutSetter(webViewPage, _masterPath);
}

pranavkm wrote Feb 14, 2013 at 8:53 PM

The exception is being thrown by the static constructor. I think simply loading that type (which happens any time you use RazorGenerator.MsBuild) would result in that exception. It's the act of private reflection that's throwing, not the act of calling the setter.

davidebbo wrote Feb 14, 2013 at 8:53 PM

Well right now, it's getting set in the static ctor, so anytime the PrecompiledMvcView class is used, that code will run. But conceivably we could rework this code to only call CreateOverriddenLayoutSetterDelegate on demand when it's actually needed (and then cache it in the static).

Feel free to experiment with this, and if you get something working, send a PR.

tbasallo wrote Feb 14, 2013 at 9:45 PM

Ah, yes, didn't notice that.

OK, I'll mess with it and see what I can get working.

tbasallo wrote Feb 14, 2013 at 11:21 PM

This is my first PR so if I need to change anything, please let me know.

http://razorgenerator.codeplex.com/SourceControl/network/forks/tbasallo/razorgenerator/contribution/4089

I tested it and works as expected. Fails with a layout page, succeeds without it.

tbasallo wrote Feb 14, 2013 at 11:29 PM

Something interesting, any thoughts - I'm not keen on my reflection or trust permissions...

It now will load the layout. It seems that the static ctr was causing the security exception. Does that make sense?

davidebbo wrote Feb 15, 2013 at 12:49 AM

Hmmm, it's fascinating if it's able to execute that reflection code in medium trust without blowing up. I would not expect that...