我读的临C#2010和.NET 4.0平台的安德鲁Troelsen。
在第15章有关的属性存在的说明:
注意:为了安全起见,它被认为是设计所有自定义一个.net最佳实践属性作为密封
。笔者没有解释为什么,有人可以解释为什么?
解决方案CA1813:避免启封属性: .NET框架类库提供检索方法 自定义属性。默认情况下,这些方法搜索属性 继承层次;例如Attribute.GetCustomAttribute 搜索指定的属性类型,或任何属性类型 扩展了指定的属性类型。密封属性消除 通过继承层次的搜索,并能提高 性能。
编号:http://msdn.microsoft.com/en-us/library/ms182267(v=VS.100).aspx
属性只是发现的元数据在运行时。因为它是引用,如果别人源于您的自定义属性类,默认情况下.NET会发现他们太多,这可能意味着存在安全隐患,如果派生属性类是修改原来的属性的行为在某种程度上,你从来没有打算到。
尽管业绩是主要原因密封属性类,这里是一个艰巨的文章处理其安全性方面: HTTP:// alabaxblog .INFO / P = 44
I'm reading Pro C# 2010 and the .Net 4 Platform by Andrew Troelsen.
In Chapter 15 about Attributes exists a note:
Note: For security reasons, it is considered a .Net best practice to design all custom attributes as sealed.
The author doesn't explain why, can someone explain why?
解决方案CA1813: Avoid unsealed attributes: The .NET Framework class library provides methods for retrieving custom attributes. By default, these methods search the attribute inheritance hierarchy; for example Attribute.GetCustomAttribute searches for the specified attribute type, or any attribute type that extends the specified attribute type. Sealing the attribute eliminates the search through the inheritance hierarchy, and can improve performance.
Ref: http://msdn.microsoft.com/en-us/library/ms182267(v=VS.100).aspx
Attributes are simply metadata discovered at runtime. As it is quoted, if someone else derives from your custom attribute class, by default .NET will find them too, which may imply a security risk if the derived attribute class is modifying the behavior of your original attribute in a way to you never intended to.
Even though performance is the prime reason to seal attribute classes, here is a formidable article dealing with its security side: http://alabaxblog.info/?p=44