Make FileInfo class serializable
In some scenarios, we need to ask the user to select some local files (using the FileOpenDialog), store the references to IsolatedStorage and later, get back the references to proceed to the upload (typically because we need to display some HTML page between to selection step and the upload step, so the Silverlight module is unloaded and FileInfo objects are lost). But the only problem is that the FileInfo class is not serializable, so we cannot get the object back later! I strongly believe that serializing the FileInfo is NOT unsecure because:
1) The serialized data could be encrypted by the Silverlight runtime,
2) Even if we know the full path of a file, we cannot access it anyway (but again, the data should be encrypted, so this is not relevant)
Silverlight = Hell for file operation.
Mark S.Freeman commented
We would love to migrate from WinForms but in order to adopt Silverlight for our applications we must have local file support. Security should not preclude this, if implemented properly.
Dawid, can you elaborate on this? Where is the security risk if the serialized data is encrypted? No one would ever be able to create a valid "fake" serialized FileInfo to get access to a critical file...
It's a security risk, even in elevated permission mode.
This is definitely an out. User experience will get a major boost with this.
It 's very usable for our projects.
1) Data MUST be encrypted. It would be easy to build from scratch a XML (or any other easy-to-understand format), deserialize it and get a perfectly valid reference to a critical file.
2) File reference must NOT be shareable between machine. A serialized FileInfo should be deserializable only on the machine from which the user made the selection. A simple way to achieve this is to use a different encryption key for each machine. So, the data stream won't deserialize on another machine, and it will become extremely difficult to manually build a stream to get access to critical files, since all Silverlight installations won't decrypt the same way.
3) Encryption key must NEVER change even if Silverlight is uninstalled and reinstalled (or updated). If the key changes, all stored references will no longer be deserializable...