I suggest you ...

Make FileInfo class serializable

In some scenarios, we need to ask the user to select some local files (using the FileOpenDialog), store the references to IsolatedStorage and later, get back the references to proceed to the upload (typically because we need to display some HTML page between to selection step and the upload step, so the Silverlight module is unloaded and FileInfo objects are lost). But the only problem is that the FileInfo class is not serializable, so we cannot get the object back later! I strongly believe that serializing the FileInfo is NOT unsecure because:

1) The serialized data could be encrypted by the Silverlight runtime,

2) Even if we know the full path of a file, we cannot access it anyway (but again, the data should be encrypted, so this is not relevant)

859 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    nelligan shared this idea  ·   ·  Admin →

    13 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • NoName commented  · 

        Silverlight = Hell for file operation.

      • Mark S.Freeman commented  · 

        We would love to migrate from WinForms but in order to adopt Silverlight for our applications we must have local file support. Security should not preclude this, if implemented properly.

      • Anonymous commented  · 

        Dawid, can you elaborate on this? Where is the security risk if the serialized data is encrypted? No one would ever be able to create a valid "fake" serialized FileInfo to get access to a critical file...

      • str commented  · 

        It's a security risk, even in elevated permission mode.

      • PAM commented  · 

        This is definitely an out. User experience will get a major boost with this.

      • Tyler commented  · 

        It 's very usable for our projects.

      • nelligan commented  · 

        Update:

        1) Data MUST be encrypted. It would be easy to build from scratch a XML (or any other easy-to-understand format), deserialize it and get a perfectly valid reference to a critical file.

        2) File reference must NOT be shareable between machine. A serialized FileInfo should be deserializable only on the machine from which the user made the selection. A simple way to achieve this is to use a different encryption key for each machine. So, the data stream won't deserialize on another machine, and it will become extremely difficult to manually build a stream to get access to critical files, since all Silverlight installations won't decrypt the same way.

        3) Encryption key must NEVER change even if Silverlight is uninstalled and reinstalled (or updated). If the key changes, all stored references will no longer be deserializable...

      Feedback and Knowledge Base