|
Security Concerns using interop excel
I am writing a service that picks up spreadsheets from an FTP drop location
uploaded by customers. I am leary of security problems because a customer could unknowingly upload a spreadsheet with some malicious VBA. I am using excel interop to open the spreadsheets via C#. Macro security will be set to high, but I am wondering if this is enough. The customer is not willing to sign their documents with a certificate. Does anyone have any further suggestions for securely opening the spreadsheet. I was thinking of decorating the asssembly or certain methods with extra code access security declarations, but I'm not sure where to start. It is important for this to be secure because the next request is to allow sending spreadsheets via e-mail which means there isn't even a username / password preventing submission. Thanks |
Security Concerns using interop excel
When you run Excel through automation (which is what I assume 'interop'
does) the user's security setting has no effect. Security is 'low'. I don't know what you're doing or if you want the user to see a macro warning. Assuming you want to open the workbook and not show a warning and not run its open code you would just have to turn events off. In a VBS script it would look like this: Dim XL Set XL = CreateObject("Excel.Application") XL.EnableEvents=False XL.Workbooks.Open "c:\openme.xls" XL.Visible = True ''else XL will not be visible -- Jim "chriscap" wrote in message ... |I am writing a service that picks up spreadsheets from an FTP drop location | uploaded by customers. I am leary of security problems because a customer | could unknowingly upload a spreadsheet with some malicious VBA. I am using | excel interop to open the spreadsheets via C#. Macro security will be set to | high, but I am wondering if this is enough. The customer is not willing to | sign their documents with a certificate. | | Does anyone have any further suggestions for securely opening the | spreadsheet. I was thinking of decorating the asssembly or certain methods | with extra code access security declarations, but I'm not sure where to | start. It is important for this to be secure because the next request is to | allow sending spreadsheets via e-mail which means there isn't even a username | / password preventing submission. | | Thanks |
Security Concerns using interop excel
The spreadsheet will never be presented to the user. It will be parsed and
its data will be stored into a database. I am opening the excel document using C# via .NET. To interact in .NET with the COM objects you have to use interoperability. So, while I'm parsing this document I want to make sure that malicious code cannot be executed. I always want the security to be high. Furthermore, I want to take more precautions than just having security on the document set to high. I'd like to restrict the .NET code using code access security delcarations. I'm looking for suggestions on this. "Jim Rech" wrote: When you run Excel through automation (which is what I assume 'interop' does) the user's security setting has no effect. Security is 'low'. I don't know what you're doing or if you want the user to see a macro warning. Assuming you want to open the workbook and not show a warning and not run its open code you would just have to turn events off. In a VBS script it would look like this: Dim XL Set XL = CreateObject("Excel.Application") XL.EnableEvents=False XL.Workbooks.Open "c:\openme.xls" XL.Visible = True ''else XL will not be visible -- Jim "chriscap" wrote in message ... |I am writing a service that picks up spreadsheets from an FTP drop location | uploaded by customers. I am leary of security problems because a customer | could unknowingly upload a spreadsheet with some malicious VBA. I am using | excel interop to open the spreadsheets via C#. Macro security will be set to | high, but I am wondering if this is enough. The customer is not willing to | sign their documents with a certificate. | | Does anyone have any further suggestions for securely opening the | spreadsheet. I was thinking of decorating the asssembly or certain methods | with extra code access security declarations, but I'm not sure where to | start. It is important for this to be secure because the next request is to | allow sending spreadsheets via e-mail which means there isn't even a username | / password preventing submission. | | Thanks |
| All times are GMT +1. The time now is 04:53 AM. |
Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
ExcelBanter.com