Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn when using BinaryFormatter resources while targeting .NET 8+ #8453

Closed
rainersigwald opened this issue Feb 15, 2023 · 1 comment · Fixed by #8524
Closed

Warn when using BinaryFormatter resources while targeting .NET 8+ #8453

rainersigwald opened this issue Feb 15, 2023 · 1 comment · Fixed by #8524
Assignees
@Forgind
Labels
Area-NetSDK Iteration:2023March Partner request size:3 Task: GenerateResource Problems with the task itself, resgen.exe, and resx resources in general. triaged
Milestone
.NET 8.0

Comments

@rainersigwald
Copy link
Member

.NET 8 will make BinaryFormatter functionality opt-in, and there's cross-team work to ensure that users have good alternatives and are guided to use them.

GenerateResource can pass BinaryFormatter-serialized resource objects from a source .resx file to .resources files embedded by the compiler:

msbuild/src/Tasks/ResourceHandling/MSBuildResXReader.cs

Lines 186 to 192 in 03de075

case BinSerializedObjectMimeType:
case Beta2CompatSerializedObjectMimeType:
case CompatBinSerializedObjectMimeType:
// BinaryFormatter from byte array
byte[] binaryFormatterBytes = Convert.FromBase64String(value);
resources.Add(new BinaryFormatterByteArrayResource(name, binaryFormatterBytes, resxFilename));

We should add a warning when we hit that case, so users are aware that they have BinaryFormatter exposure.

By default the warning should fire only when the user targets .NET 8+. The easiest way to implement this is probably to add a new argument to GenerateResource along the lines of WarnOnBinaryFormatterResources, pass it in as a property in common.targets, and then set a default value for it in the .NET SDK.

The warning must be overridable, because even in the long term (after .NET 9's removal of BinaryFormatter from the BCL) we expect it to be possible for applications to explicitly opt into BinaryFormatter support, and resources are likely to be a particularly long-lived use case.
@rainersigwald rainersigwald added Partner request Task: GenerateResource Problems with the task itself, resgen.exe, and resx resources in general. needs-triage Have yet to determine what bucket this goes in. Area-NetSDK labels Feb 15, 2023
@rainersigwald rainersigwald added this to the .NET 8.0 milestone Feb 15, 2023
@AR-May AR-May added Iteration:2023March size:3 and removed needs-triage Have yet to determine what bucket this goes in. labels Feb 21, 2023
@Forgind Forgind mentioned this issue Mar 3, 2023
Merged
@rainersigwald rainersigwald assigned Forgind and unassigned rokonec Mar 3, 2023
@danmoseley
Copy link
Member

Linking to dotnet/runtime#39287
and specifically
dotnet/runtime#39290
dotnet/runtime#39292 (?)

dotnet/designs#141

JaynieBai pushed a commit that referenced this issue Mar 29, 2023
@Forgind
Add warning for using BinaryFormatter in GenerateResource on .NET 8 (#…
dd5d9f7 
…8524)

It will be removed in .NET 9; doing so should be discouraged.

Note that this does nothing by default, but we can change that in the SDK.

Fixes #8453

Context
BinaryFormatter is deprecated and will be removed in .NET 9. In addition to the possibility of using a modern MSBuild with an older framework, there are apparently ways you can exempt your project, so we are not currently removing it entirely, and this warning (which is off by default) can be disabled even if it is enabled in the SDK.

Changes Made
I deleted using System.Runtime.Serialization.Formatters.Binary; in GenerateResource, then put a warning before the one usage of BinaryFormatter. That isn't necessarily the best way to figure out where it's used, as it would be helpful to know early, so feel free to comment to that effect.

Then I disabled it via a property and will make a separate PR to enable it in the 8.0 SDK.

Testing
Notes
@AR-May AR-May added the triaged label Feb 21, 2024
@Tanya-Solyanik Tanya-Solyanik mentioned this issue Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Forgind Forgind

Labels
Area-NetSDK Iteration:2023March Partner request size:3 Task: GenerateResource Problems with the task itself, resgen.exe, and resx resources in general. triaged
Projects
None yet
Milestone
.NET 8.0
Development

Successfully merging a pull request may close this issue.

Add warning for using BinaryFormatter in GenerateResource on .NET 8 Forgind/msbuild
5 participants
@rainersigwald @danmoseley @Forgind @rokonec @AR-May