Disallow unrestricted polymorphic deserialization in DataSet #39304
Conversation
|
Hello @GrabYourPitchforks! Because this pull request has the Do note that I've been instructed to only help merge pull requests of this repository that have been opened for at least 10 minutes. No worries though, I will be back when the time is right! 😉 p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (
|
|
Tagging subscribers to this area: @roji, @ajcvickers |
GrabYourPitchforks
added
NO-MERGE
|
Some recent changes to the build system means that this no longer builds successfully on my box. Will dig into it once other Patch Tuesday release stuff is out of the way. No changes required to the core logic, just need to figure out the magic .csproj settings to get this to work again. |
| <ProjectReference Include="..\..\System.ComponentModel.TypeConverter\src\System.ComponentModel.TypeConverter.csproj" /> | ||
| <ProjectReference Include="..\..\System.Runtime\src\System.Runtime.csproj" /> | ||
| <ProjectReference Include="..\..\System.Runtime.Extensions\src\System.Runtime.Extensions.csproj" /> | ||
| <ProjectReference Include="..\..\System.Private.Uri\src\System.Private.Uri.csproj" /> |
There was a problem hiding this comment.
Should these stay as Reference?
There was a problem hiding this comment.
No, because they reach into System.Private.CoreLib. We can only add <Reference> links to reference assemblies that are completely self-contained.
GrabYourPitchforks
removed
the
NO-MERGE
|
CI isn't enqueuing some test legs. However, of the test legs that have run, they're all passing. Going ahead with the commit. |
Fixes CVE-2020-1147 (see MSRC advisory, GitHub announcement)
See also https://go.microsoft.com/fwlink/?linkid=2132227 for documentation.
This is a direct port from the release/3.1 branch, plus the license header changes that Steve made a few days ago.