This project has moved and is read-only. For the latest updates, please go here.
1

Closed

RelayCommand has security issue

description

When looking at the relay command, the Execute method is public, and directly calls _execute. This is a security issue.

This:

/// <summary>
/// Defines the method to be called when the command is invoked.
/// </summary>
/// <param name="parameter">This parameter will always be ignored.</param>
public void Execute(object parameter)
{
_execute();
}

Should be:

/// <summary>
/// Defines the method to be called when the command is invoked.
/// </summary>
/// <param name="parameter">This parameter will always be ignored.</param>
public void Execute(object parameter)
{
if (CanExecute(parameter))
{
    _execute();
}
}

If I am on the view, I can directly call VM.Command.Execute("crash") while CanExecute is false. A simple check can prevent this.

I already implemented this fix in Catel, but since MVVM light is a great framework as well, I though I should mention it.
Closed Oct 13, 2014 at 1:55 PM by lbugnion

comments

lbugnion wrote Sep 11, 2011 at 11:13 PM

Fixed in V4 beta 1