Security Warnings From FXCop - CA2122 & CA2123

O

orekinbck

Hi There

I am inheriting from DateTimePicker class to create a DateTimePicker
control with a configurable back colour. I got the original code from
http://dotnet.mvps.org/ then converted it to C# and it works OK in .NET
2.0 except for two warnings from CodeAnalysis:

CA2123 : Microsoft.Security : The virtual method
DateTimePicker.WndProc(Message&):Void defined by type
'System.Windows.Forms.DateTimePicker' and its override
ExtendedDateTimePicker.WndProc(Message&):Void do not have the same
LinkDemand status. Add a LinkDemand where required.

CA2122 : Microsoft.Security :
ExtendedDateTimePicker.WndProc(Message&):Void calls into
DateTimePicker.WndProc(Message&):Void which has a LinkDemand. By making
this call, DateTimePicker.WndProc(Message&):Void is indirectly exposed
to user code. Review the following call stack that might expose a way
to circumvent security protection:
->System.Windows.Forms.DateTimePicker.WndProc(System.Windows.Forms.Message@)
: Void
->PickupBooking.ExtendedDateTimePicker.WndProc

My knowledge of security is amatuer and I need to deploy this project
with no security warnings ... I would greatly appreciate if anyone
could show me how fix the warnings and/or point out some good .NET 2.0
resources for security novices.

Btw, my C# 2.0 code is below.

TIA
Bill

using System;
using System.Windows.Forms;
using System.ComponentModel;
using System.Drawing;

namespace PickupBooking
{
public class ExtendedDateTimePicker : DateTimePicker
{
private SolidBrush m_BackBrush;

[Browsable(true),
DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)]

public override Color BackColor
{
get
{
return base.BackColor;
}
set
{
if (!(m_BackBrush == null))
{
m_BackBrush.Dispose();
}
base.BackColor = value;
m_BackBrush = new SolidBrush(this.BackColor);
this.Invalidate();
}
}

protected override void WndProc(ref Message m)
{
const Int32 WM_ERASEBKGND = 20;
if (m.Msg == WM_ERASEBKGND)
{
Graphics g = Graphics.FromHdc(m.WParam);
if (m_BackBrush == null)
{
m_BackBrush = new SolidBrush(this.BackColor);
}
g.FillRectangle(m_BackBrush, this.ClientRectangle);
g.Dispose();
}
else
{
base.WndProc(ref m);
}
}

protected override void Dispose(bool disposing)
{
if (disposing && !(m_BackBrush == null))
{
m_BackBrush.Dispose();
}
base.Dispose(disposing);
}
}
}
 
N

Nicholas Paldino [.NET/C# MVP]

Bill,

Kudos for running FxCop on your code. It's a good practice to engage
in.

To solve your problem, add the following attribute to your WndProc
method:

[SecurityPermission(SecurityAction.LinkDemand,
Flags=SecurityPermissionFlag.UnmanagedCode)]

This will cause a permission check to be made when the code is linked
to, to determine that the current permissions allow for unmanaged code to be
called.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)



Hi There

I am inheriting from DateTimePicker class to create a DateTimePicker
control with a configurable back colour. I got the original code from
http://dotnet.mvps.org/ then converted it to C# and it works OK in .NET
2.0 except for two warnings from CodeAnalysis:

CA2123 : Microsoft.Security : The virtual method
DateTimePicker.WndProc(Message&):Void defined by type
'System.Windows.Forms.DateTimePicker' and its override
ExtendedDateTimePicker.WndProc(Message&):Void do not have the same
LinkDemand status. Add a LinkDemand where required.

CA2122 : Microsoft.Security :
ExtendedDateTimePicker.WndProc(Message&):Void calls into
DateTimePicker.WndProc(Message&):Void which has a LinkDemand. By making
this call, DateTimePicker.WndProc(Message&):Void is indirectly exposed
to user code. Review the following call stack that might expose a way
to circumvent security protection:
->System.Windows.Forms.DateTimePicker.WndProc(System.Windows.Forms.Message@)
: Void
->PickupBooking.ExtendedDateTimePicker.WndProc

My knowledge of security is amatuer and I need to deploy this project
with no security warnings ... I would greatly appreciate if anyone
could show me how fix the warnings and/or point out some good .NET 2.0
resources for security novices.

Btw, my C# 2.0 code is below.

TIA
Bill

using System;
using System.Windows.Forms;
using System.ComponentModel;
using System.Drawing;

namespace PickupBooking
{
public class ExtendedDateTimePicker : DateTimePicker
{
private SolidBrush m_BackBrush;

[Browsable(true),
DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)]

public override Color BackColor
{
get
{
return base.BackColor;
}
set
{
if (!(m_BackBrush == null))
{
m_BackBrush.Dispose();
}
base.BackColor = value;
m_BackBrush = new SolidBrush(this.BackColor);
this.Invalidate();
}
}

protected override void WndProc(ref Message m)
{
const Int32 WM_ERASEBKGND = 20;
if (m.Msg == WM_ERASEBKGND)
{
Graphics g = Graphics.FromHdc(m.WParam);
if (m_BackBrush == null)
{
m_BackBrush = new SolidBrush(this.BackColor);
}
g.FillRectangle(m_BackBrush, this.ClientRectangle);
g.Dispose();
}
else
{
base.WndProc(ref m);
}
}

protected override void Dispose(bool disposing)
{
if (disposing && !(m_BackBrush == null))
{
m_BackBrush.Dispose();
}
base.Dispose(disposing);
}
}
}
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

C++/CLI C++ Interop and FxCop/Code-Analysis warning CA2122 5

Top