Merge pull request #194 from stephen-turner/CA-144950

CA-144950 Accept loading resource strings downloaded from the internet
2024-11-25 14:27:26 +01:00 · 2014-09-02 17:42:10 +01:00 · 2014-09-02 17:42:10 +01:00 · 018c0b2dc2
commit 018c0b2dc2
parent b3a36ee47b ef78b74fd3
1 changed files with 6 additions and 1 deletions
--- a/XenAdmin/Plugins/PluginDescriptor.cs
+++ b/XenAdmin/Plugins/PluginDescriptor.cs
@ -214,7 +214,12 @@ namespace XenAdmin.Plugins
            {
                if (File.Exists(resources))
                {
-                    return new ResourceManager(Name, Assembly.LoadFile(resources));
+                    // We load this "unsafely" because of CA-144950: the plugin is almost certainly
+                    // downloaded from the web and won't install without this. I considered adding
+                    // a confirmation step, but as all we do with the resources is to extract some
+                    // strings, there is no security implication. (This doesn't affect security
+                    // confirmations on programs called by the plugin).
+                    return new ResourceManager(Name, Assembly.UnsafeLoadFrom(resources));
                }
            }
            catch (Exception e)