You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Existing uses of BinaryFormatter must be removed or disabled by Jan 1, 2024.
Expected outcome
Behavior of .NET and .NET Framework version of MSBuild is unified - the the BinFmt is disallowed by default
While BinFmt is still workable on Framework - assume it is not for the purpose of this change (as it may be soon removed from Framework and only be pluggable via optional nuget) - so it is fine to drop violating events (providing build error is emitted)
UPDATE (Oct/19):
For more gradual introduction of this breaking change, let's implement this for .NET Framework as a warning and without discarding the event.
.NET Core behavior will stay the same.
Per offline discussion with @rokonec - this can be achieved by skipping the sender side check for Framework, as receiving side check already has a warning.
In the future we'll change the warning to error (not part of this item)
Open Questions
Does AppContext.TryGetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", out bool enabled) make sense on .NET Framework as well. I'll provide answer to this later on. - the switch can be used on Full Framework as well. There is currently no usage of that in Framework runtime. But we can keep the code for boh versions to avoid special casing
The text was updated successfully, but these errors were encountered:
Context
#6215
Per:
https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010
https://twcsecurityassurance.visualstudio.com/SecurityPolicy/_git/SecurityPolicy/pullrequest/1230
Expected outcome
UPDATE (Oct/19):
Open Questions
AppContext.TryGetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", out bool enabled)
make sense on .NET Framework as well.I'll provide answer to this later on.- the switch can be used on Full Framework as well. There is currently no usage of that in Framework runtime. But we can keep the code for boh versions to avoid special casingThe text was updated successfully, but these errors were encountered: