反射还真会挂……

呃，CLR的反射也可以注入字符串……看来这里也有可玩的突破口 OTL

以下代码：

using System;
using System.Reflection;
using System.Reflection.Emit;

static class Program {
    static void Main() {
        var assemblyName = new AssemblyName( "DemoAssembly" );
        var assemblyBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly( assemblyName, AssemblyBuilderAccess.Run );
        var moduleBuilder = assemblyBuilder.DefineDynamicModule( "DemoAssembly" );
        var baseTypeBuilder = moduleBuilder.DefineType(@"Base+My", TypeAttributes.Public);
        var baseType = baseTypeBuilder.CreateType();
        var derivedTypeBuilder = moduleBuilder.DefineType("Derived", TypeAttributes.Public, baseType);
        var derivedType = baseTypeBuilder.CreateType();
        var instance = Activator.CreateInstance(derivedType);
    }
}

在生成的基类名字里放入[]*&+,\的任意字符，都会引发在创建派生类是出错：

引用

Unhandled Exception: System.Runtime.InteropServices.COMException (0x80131130): Record not found on lookup. (Exception from HRESULT: 0x80131130)
   at System.Reflection.Module._InternalGetTypeToken(String strFullName, ModulerefedModule, String strRefedModuleFileName, Int32 tkResolution)
   at System.Reflection.Module.InternalGetTypeToken(String strFullName, Module refedModule, String strRefedModuleFileName, Int32 tkResolution)
   at System.Reflection.Emit.ModuleBuilder.GetTypeRefNested(Type type, Module refedModule, String strRefedModuleFileName)
   at System.Reflection.Emit.ModuleBuilder.GetTypeTokenWorkerNoLock(Type type, Boolean getGenericDefinition)
   at System.Reflection.Emit.ModuleBuilder.GetTypeTokenInternal(Type type, Boolean getGenericDefinition)
   at System.Reflection.Emit.TypeBuilder.Init(String fullname, TypeAttributes attr, Type parent, Type[] interfaces, Module module, PackingSize iPackingSize, Int32 iTypeSize, TypeBuilder enclosingType)
   at System.Reflection.Emit.ModuleBuilder.DefineTypeNoLock(String name, TypeAttributes attr, Type parent)
   at System.Reflection.Emit.ModuleBuilder.DefineType(String name, TypeAttributes attr, Type parent)
   at Program.Main() in d:\experiment\test\crash.cs:line 12

OTL……那些字符是CLI的类型的一些特殊字符，例如+是nested class的完全限定名里分隔它自身的类名与enclosing class的类名的字符，[]是指定泛型参数用的，等等。反射的时候可能也没办法检查到底哪些是正常的特殊字符，哪些是人为注入进去的。既然如此，Emit的时候就不该允许这些特殊字符进去的。注入啊注入……

P.S. 测试环境是.NET Framework 3.5 SP1