How to write security controls with VB

Security | General statement of control
This paper describes how to implement the IObjectSafety interface of the control in VB to flag that the control is safe for scripting and initialization. The default processing of VB controls is to register component classes in the registry to identify their security, but implementing the IObjectSafety interface is a better approach. This speech includes all the code required in the implementation process.

Note that the control can only be identified as "safe" only if it is truly safe. This article does not discuss how to ensure the security of a control, see related documentation in Internet Client Software Development Kit (SDK) "Safe initialization and scripting for Activ EX Controls ", which is in the Component Development column.


Related information:
< omitted a warning that may be irrelevant >

Now let's start with step-by-step examples of how to create a simple VB control and how to identify it as script security and initialization security.
First create a new folder to store the files that are generated in this example.

From VB CD-ROM to get OLE Automation class library production tools. Copy all the contents of the \common\tools\vb\unsupprt\typlib\ directory in the VB installation CD to the previously created project folder.


Copy the following contents to Notepad and save to the folder named Objsafe.odl:


[
UUID (c67830e0-d11d-11cf-bd80-00aa00575603),
helpstring ("VB iobjectsafety Interface"),
Version (1.0)
]
Library Iobjectsafetytlb
{
Importlib ("Stdole2.tlb");
[
UUID (cb5bdc81-93c1-11cf-8f20-00805f2cd064),
helpstring ("IObjectSafety Interface"),
Odl
]
Interface Iobjectsafety:iunknown {
[HelpString ("GetInterfaceSafetyOptions")]
HRESULT GetInterfaceSafetyOptions (
[in] long riid,
[in] long *pdwsupportedoptions,
[in] long *pdwenabledoptions);

[HelpString ("SetInterfaceSafetyOptions")]
HRESULT SetInterfaceSafetyOptions (
[in] long riid,
[in] long dwoptionssetmask,
[in] long dwenabledoptions);
}
}
Switch to the project folder at the command prompt, and enter the following command to create a. tlb file:


MkTypLib objsafe.odl/tlb objsafe.tlb
Create a new ActiveX control project in VB. Modify the attribute, name the item iobjsafety, and the control is named Democtl. Place a button on the control, named Cmdtest, and add a code MsgBox "Test" to its Click event.


Open the Menu "Engineering-> Reference", click "Browse", find the newly established objsafe.tlb, and add it to the reference.


Add a new module named Bassafectl and add the following code to it:


Option Explicit

Public Const IID_IDispatch = "{00020400-0000-0000-c000-000000000046}"
Public Const Iid_ipersiststorage = _
' {0000010a-0000-0000-c000-000000000046} '
Public Const Iid_ipersiststream = _
' {00000109-0000-0000-c000-000000000046} '
Public Const IID_IPersistPropertyBag = _
' {37d84f60-42cb-11ce-8135-00aa004bb851} '

Public Const Interfacesafe_for_untrusted_caller = &h1
Public Const Interfacesafe_for_untrusted_data = &h2
Public Const e_nointerface = &h80004002
Public Const e_fail = &h80004005
Public Const Max_guidlen = 40

Public Declare Sub copymemory Lib "kernel32" Alias "RtlMoveMemory" _
(Pdest as any, psource as any, ByVal Bytelen as Long)
Public Declare Function StringFromGUID2 Lib "Ole32.dll" (Rguid as _
Any, ByVal Lpstrclsid as Long, ByVal Cbmax as Integer) as Long

Public Type Udtguid
Data1 as Long
Data2 as Integer
Data3 as Integer
DATA4 (7) as Byte
End Type

Public m_fsafeforscripting as Boolean
Public m_fsafeforinitializing as Boolean

Sub Main ()
m_fsafeforscripting = True
m_fsafeforinitializing = True
End Sub
In engineering properties, change the Startup object to Sub Main to ensure that the above code is executed. The values of the m_fsafeforscripting and m_fsafeforinitializing two-piece variables specify the script security and initialization security values, respectively.


Open the Control Code window, add the following code in the Declaration section (if you have Option Explicit statement, sure to keep the code behind):


Implements IObjectSafety
Copy the following two procedure code into the control code:


Private Sub iobjectsafety_getinterfacesafetyoptions (ByVal riid as _
Long, pdwsupportedoptions as long, pdwenabledoptions as Long)

Dim Rc as Long
Dim Rclsid as Udtguid
Dim IID as String
Dim BIID () as Byte

Pdwsupportedoptions = Interfacesafe_for_untrusted_caller Or _
Interfacesafe_for_untrusted_data

If (riid <> 0) Then
CopyMemory Rclsid, ByVal riid, Len (RCLSID)

BIID = string$ (max_guidlen, 0)
Rc = StringFromGUID2 (Rclsid, VarPtr (BIID (0)), Max_guidlen)
Rc = INSTR (1, BIID, vbNullChar)-1
IID = left$ (UCase (BIID), Rc)

Select Case IID
Case IID_IDispatch
Pdwenabledoptions = IIf (M_fsafeforscripting, _
Interfacesafe_for_untrusted_caller, 0)
Exit Sub
Case Iid_ipersiststorage, Iid_ipersiststream, _
IID_IPersistPropertyBag
Pdwenabledoptions = IIf (M_fsafeforinitializing, _
Interfacesafe_for_untrusted_data, 0)
Exit Sub
Case Else
Err.Raise E_nointerface
Exit Sub
End Select
End If
End Sub

Private Sub iobjectsafety_setinterfacesafetyoptions (ByVal riid as _
Long, ByVal Dwoptionssetmask as Long, ByVal dwenabledoptions as Long)
Dim Rc as Long
Dim Rclsid as Udtguid
Dim IID as String
Dim BIID () as Byte

If (riid <> 0) Then
CopyMemory Rclsid, ByVal riid, Len (RCLSID)

BIID = string$ (max_guidlen, 0)
Rc = StringFromGUID2 (Rclsid, VarPtr (BIID (0)), Max_guidlen)
Rc = INSTR (1, BIID, vbNullChar)-1
IID = left$ (UCase (BIID), Rc)

Select Case IID
Case IID_IDispatch
If ((Dwenabledoptions and Dwoptionssetmask) <> _
Interfacesafe_for_untrusted_caller) Then
Err.Raise E_fail
Exit Sub
Else
If not m_fsafeforscripting Then
Err.Raise E_fail
End If
Exit Sub
End If

Case Iid_ipersiststorage, Iid_ipersiststream, _
IID_IPersistPropertyBag
If ((Dwenabledoptions and Dwoptionssetmask) <> _
Interfacesafe_for_untrusted_data) Then
Err.Raise E_fail
Exit Sub
Else
If not m_fsafeforinitializing Then
Err.Raise E_fail
End If
Exit Sub
End If

Case Else
Err.Raise E_nointerface
Exit Sub
End Select
End If
End Sub