A reader named Uri commented on my July 15th entry about safe handling of untrusted solutions & projects.  He brings up some good points which I thought worth addressing.

One thing he mentions is that often one needs to grab a whole sample project at a time and can't just grab snippests here & there.  True enough, Uri, that's sometimes the case.  When it's most effective to grab a whole project, just be sure that the source is someone you trust.

Another question Uri raises is whether one might be able to quarantine untrusted code by putting it on another share to make it be in a less-trusted zone.  This is a great point, and there are indeed some things that are a bit safer when done in this way.  However, there are still many potential ways to get fried, and unfortunately putting an untrusted solution/project on another share still doesn't really make it safe to use.

Some things to note if you were to try loading a solution/project from another share:

  • On loading, the IDE will give you ominous warnings that things may not work correctly.
  • Custom build steps in C# projects, a new feature in VS 2003, generally won't work, at least not that I found.  In a sense this is good, because it means rogue build steps wouldn't run, but it's also bad because any legitimate build step won't happen either.
  • Despite the fact that C# custom build steps won't run, an evil project can still toast you in other subtle ways as part of the build process.

In general, using a project from an intranet share won't protect you from mailicious solutions/projects, and will furthermore interfere with legitimate ones, so I don't really recommend this approach.

That's all for now! -Chris