ATL COM+ Using Interface As Parameter

Question

My project has two interfaces IObjectContext and IObjectFactory.

One way to use Interface as parameter is:

interface IObjectFactory: IDispatch{
    [id(1)] HRESULT create([in] IObjectContext* context);
}
...
STDMETHODIMP CObjectFactory::create(IObjectContext* context)
{
    CObjectContext *ctx= dynamic_cast<CObjectContext*>(context);

    if(ctx!=NULL)
       ...
}

If I'm not mistaken, I read somewhere that using interface as parameter can cause security problems. I do not remember where I read.

Is it really possible? Can be Interface used as a parameter or not recommended?

Articles are welcome.

Answer 1

If you pass a pointer to an interface as a parameter, the callee will have a reference to the object implementing that interface, and is free to store the pointer and call QueryInterface to get a pointer to any other interface implemented by that object.

The security implication is that if you don't trust the callee not to do that, you want to pass a proxy object that enforces the security constraints you need (i.e. does not support QI for any extra interfaces, and has a "shutdown" method to revoke access).

In your code, you use dynamic_cast<> on an interface pointer.

This is generally a bad idea:

• There is no guarantee that even in the same process or thread, you will actually be passed the same object. Some debuggers enforce process separation between apartments, in order to catch illegal accesses.
• Your implementation should not need to know about the implementation of CObjectContext. If it does, that is a sign that IObjectContext is missing functionality.
• If you directly access methods in the concrete implementation rather than going through COM, you may confuse the internal housekeeping, ending up with handles that are invalid in a certain thread context. Debugging these is hard.