1

I recently ran into a problem, when deploying an application on a customer machine. I asked him to drop a number of (updated) assemblies into the program folder. Because he downloaded them via the Dropbox website, the OS marked them as blocked and the assemblies couldn't be loaded via reflection. It took me some time to figure out the issue, with the help of this post:

.net local assembly load failed with CAS policy

I am know wondering whether it is a good idea to load the assemblies with Assembly.LoadUnsafeFrom(...) instead of Assembly.LoadFrom(...), just to avoid these kind of issues in future. (I am aware of the fact that sending assemblies over the internet and letting the customer drop them into the program files folder isn't the golden path of software deployment, but in reality you sometimes need to improvise...).

As I read, the method requires the calling application to run in a full-trust environment, which is usually the case with the application I am talking about.

My question is: Apart from that - the requirement of running in full trust - are there any side effects of this method. Are there scenarios, where the application will throw an exception because of lacking privileges of the Windows User account, etc., etc.?

Community
  • 1
  • 1
Marc
  • 12,706
  • 7
  • 61
  • 97
  • Do you really think that's more sensible than just advising the customer on how to remove the "taint of the web" from the files, once they're sure they've got the genuine files from you? – Damien_The_Unbeliever Sep 23 '14 at 08:44
  • I am not sure actually... If there are no further side effects, I don't know why I shouldn't use UnsafeLoad and make it easier for my customer. You would just stick with what I have now? – Marc Sep 23 '14 at 08:47
  • Side question: Would the same behavior also happen if you distributed your files inside a zip archive? – PMF Sep 23 '14 at 08:49
  • Yes, I think so. I sent the customer a zip archive and the assembly which I loaded was blocked. – Marc Sep 23 '14 at 08:51
  • 1
    You can postpone worrying about this, until you run into IT staff that thinks that programs that use files downloaded from the Internet should not run in full trust. You don't really want to be around when that happens, it is pretty easy for them to find out that you bypassed this check intentionally. Just make sure that you are not the one that will be the target of the blame-game. This is the kind of shortcut that management needs to approve of. – Hans Passant Sep 23 '14 at 11:57

0 Answers0