【问题标题】:CLR User-Defined function security exceptionCLR 用户定义函数安全异常
【发布时间】:2013-06-13 14:05:21
【问题描述】:

我创建了一个 CLR 用户定义函数,用于使用 Google 地理编码查找某个位置的纬度和经度信息。函数如下:

using System;
using System.Net;
using System.Xml.XPath;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;

public partial class latlong
{
[Microsoft.SqlServer.Server.SqlFunction]

public static SqlString GetLatLong(string address, string city, string state, string zip)
{
    string latitude = "#NA", longitude = "#NA";
    string url = "http://maps.googleapis.com/maps/api/geocode/xml?address=";
    string[] addresssplit = Regex.Split(address, @"\W+");
    if (address != "NULL")
        for (int i = 0; i < addresssplit.Length; i++)
            url = url + addresssplit[i] + "+";
    if (city != "NULL")
    {
        if (state != "NULL")
        {
            if (zip != "NULL") url = url + city + "+" + state + "+" + zip;
            else url = url + city + "+" + state;
        }
        else
        {
            if (zip!= "NULL") url = url + city + "+" + zip;
            else url = url + city;
        }
    }
    else
    {
        if (state != "NULL")
        {
            if (zip != "NULL") url = url + state + "+" + zip;
            else url = url + state;
        }
        else
        {
            if (zip != "NULL") url = url + zip;
        }
    }
    url = url + "&sensor=false";

    WebResponse response = null;
    HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    request.Method = "GET";
    response = request.GetResponse();
    if (response != null)
    {
        XPathDocument document = new XPathDocument(response.GetResponseStream());
        XPathNavigator navigator = document.CreateNavigator();
        XPathNodeIterator statusIterator = navigator.Select("/GeocodeResponse/status");
        while (statusIterator.MoveNext())
            if (statusIterator.Current.Value != "OK")
            {
                Thread.Sleep(1000);
                return new SqlString("OQL, OQL");
            }
        XPathNodeIterator resultIterator = navigator.Select("/GeocodeResponse/result");
        while (resultIterator.MoveNext())
        {
            XPathNodeIterator geometryIterator = resultIterator.Current.Select("geometry");
            while (geometryIterator.MoveNext())
            {
                XPathNodeIterator locationIterator = geometryIterator.Current.Select("location");
                while (locationIterator.MoveNext())
                {
                    XPathNodeIterator latIterator = locationIterator.Current.Select("lat");
                    while (latIterator.MoveNext())
                        latitude = latIterator.Current.Value;
                    XPathNodeIterator longIterator = locationIterator.Current.Select("long");
                    while (longIterator.MoveNext())
                        longitude = longIterator.Current.Value;
                }
            }
        }
    }
    Thread.Sleep(1000);
    return new SqlString(latitude + ", " + longitude);
}
}

我已经成功构建并部署了该功能。于是我尝试在SQL server中执行如下函数:

SELECT dba.dbo.GetLatLong('3366 Cherry Avenue','Zion','WI','54963')

当我这样做时,会引发以下安全表达式

A .NET Framework error occurred during execution of user-defined routine or aggregate "GetLatLong": 
System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
System.Security.SecurityException: 
at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net.HttpWebRequest..ctor(Uri uri, ServicePoint servicePoint)
at System.Net.HttpRequestCreator.Create(Uri Uri)
at System.Net.WebRequest.Create(Uri requestUri, Boolean useUriBase)
at latlong.GetLatLong(String address, String city, String state, String zip).

我可以看到安全权限有问题。但除此之外,我看不到修复异常的方法。

感谢任何帮助。

【问题讨论】:

  • 这是什么应用?
  • 我的意思是winforms、aspnet、winphone等
  • 我知道做生意总是有原因的。不幸的是,我不得不问,将这个逻辑放入数据库是解决问题的最佳方法吗?我没有看到任何与数据访问相关的代码。我的第一个猜测是你之前有一个程序在数据库中查找它并且你正在保持兼容性,但它仍然看起来很奇怪。让数据库直接连接到互联网通常是安全的“不,不”。

标签: c# database sqlclr


【解决方案1】:

为了从 sql clr 代码发出网络请求,程序集必须配置有EXTERNAL_ACCESS 权限。可以使用CREATE ASSEMBLY语句设置指定权限

【讨论】:

  • 谢谢,它修复了错误。我必须将它添加到 CREATE ASSEMBLY。
【解决方案2】:

您需要以EXTERNAL_ACCESS* 权限声明您的程序:

EXTERNAL_ACCESS 程序集与SAFE 程序集具有相同的权限,还可以访问外部系统资源,例如文件、网络、环境变量和注册表。

(我的强调


*或UNSAFE,但我会说EXTERNAL_ACCESS,除非或直到证明您确实需要UNSAFE

【讨论】:

    【解决方案3】:

    在 sql 中运行:

    ALTER DATABASE databasename SET TRUSTWORTHY ON
    USE master
    GO
    grant external access assembly to [domain\computerusername]
    grant external access assembly to sa
    

    【讨论】:

      猜你喜欢
      • 2012-09-16
      • 1970-01-01
      • 2011-09-05
      • 2015-05-08
      • 1970-01-01
      • 2016-02-17
      • 2020-10-13
      • 1970-01-01
      • 2022-01-23
      相关资源
      最近更新 更多