From fc64601384624295820af4e804759711839bebad Mon Sep 17 00:00:00 2001
From: DotNet Bot <dn-bot@microsoft.com>
Date: Fri, 3 Apr 2020 18:29:08 +0000
Subject: [PATCH 1/4] Merge pull request 6992 from
 darc-internal/release/3.1-0617b7c6-c9b3-4de4-930c-a2dfacbe8d40 into
 internal/release/3.1

---
 NuGet.config            |  3 ---
 eng/Version.Details.xml |  2 +-
 eng/Versions.props      |  2 +-
 eng/pipeline.yml        | 16 ++++++++++++++++
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 60b8ea64079..9d3abd7b200 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -6,14 +6,11 @@
     <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
     <add key="darc-pub-dotnet-core-setup-2d163b8" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-core-setup-2d163b87/nuget/v3/index.json" />
     <add key="darc-pub-dotnet-corefx-e946ceb-1" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-corefx-e946cebe-1/nuget/v3/index.json" />
-    <add key="darc-pub-dotnet-corefx-0f7f38c" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-corefx-0f7f38c4/nuget/v3/index.json" />
     <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
     <add key="myget-fxlab" value="https://dotnet.myget.org/F/dotnet-corefxlab/api/v3/index.json" />
     <add key="arcade" value="https://dotnetfeed.blob.core.windows.net/dotnet-tools-internal/index.json" />
     <add key="dotnet-core" value="https://dotnetfeed.blob.core.windows.net/dotnet-core/index.json" />
     <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" />
-    <add key="dotnet3" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet3/nuget/v3/index.json" />
-    <add key="dotnet3-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet3-transport/nuget/v3/index.json" />
     <add key="dotnet3.1" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet3.1/nuget/v3/index.json" />
     <add key="dotnet3.1-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet3.1-transport/nuget/v3/index.json" />
     <add key="dotnet-coreclr" value="https://dotnetfeed.blob.core.windows.net/dotnet-coreclr/index.json" />
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index 36a0c209ab0..ce755143d99 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
   <ProductDependencies>
-    <Dependency Name="Microsoft.Private.Winforms" Version="4.8.1-servicing.20127.4">
+    <Dependency Name="Microsoft.Private.Winforms" Version="4.8.1-servicing.20202.2">
       <Uri>https://github.com/dotnet/winforms</Uri>
       <Sha>8b60caf6234fd40d51f2593dbaa474e1ffab0bff</Sha>
     </Dependency>
diff --git a/eng/Versions.props b/eng/Versions.props
index b489827637a..794c439f4f1 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -18,7 +18,7 @@
   </PropertyGroup>
   <!-- NuGet Package Versions -->
   <PropertyGroup>
-    <MicrosoftPrivateWinformsVersion>4.8.1-servicing.20127.4</MicrosoftPrivateWinformsVersion>
+    <MicrosoftPrivateWinformsVersion>4.8.1-servicing.20202.2</MicrosoftPrivateWinformsVersion>
   </PropertyGroup>
   <!-- Packages that come from https://github.com/dotnet/coreclr -->
   <PropertyGroup>
diff --git a/eng/pipeline.yml b/eng/pipeline.yml
index 42980161fdb..940bef72b62 100644
--- a/eng/pipeline.yml
+++ b/eng/pipeline.yml
@@ -67,6 +67,8 @@ jobs:
           value: ''
         - name: _HelixCreator
           value: ${{ parameters.repoName }}
+        - name: _InternalRuntimeDownloadArgs
+          value: ''
 
 
         # Override some values if we're building internally
@@ -109,6 +111,10 @@ jobs:
             value: '' #if _HelixToken is set, Creator must be empty
           - name: _TestHelixAgentPool
             value: 'Windows.10.Amd64.ClientRS5' # Preferred: 'Windows.10.Amd64%3bWindows.7.Amd64%3bWindows.10.Amd64.ClientRS5'
+          - group: DotNet-MSRC-Storage
+          - name: _InternalRuntimeDownloadArgs
+            value: /p:DotNetRuntimeSourceFeed=https://dotnetclimsrc.blob.core.windows.net/dotnet
+              /p:DotNetRuntimeSourceFeedKey=$(dotnetclimsrc-read-sas-token-base64)
 
       strategy:
         matrix:
@@ -138,6 +144,15 @@ jobs:
       - powershell: eng\pre-build.ps1
         displayName: Pre-Build - Set VSO Variables
 
+      - ${{ if ne(variables['System.TeamProject'], 'public') }}:
+        - task: PowerShell@2
+          displayName: Setup Private Feeds Credentials
+          inputs:
+            filePath: $(Build.SourcesDirectory)/eng/common/SetupNugetSources.ps1
+            arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
+          env:
+            Token: $(dn-bot-dnceng-artifact-feeds-rw)
+
       # Use utility script to run script command dependent on agent OS.
       - script: eng\common\cibuild.cmd
           -configuration $(_BuildConfig) 
@@ -146,6 +161,7 @@ jobs:
           $(_SignArgs)
           $(_OfficialBuildIdArgs)
           $(_PlatformArgs)
+          $(_InternalRuntimeDownloadArgs)
         displayName: Windows Build / Publish
         # This condition should be kept in sync with the condition for 'Run DRTs' step 
         #   When building on a regular pipeline (!_HelixPipeline), build as usual 

From fe5c11588be6d74e54effce64c22f1a5e72a4809 Mon Sep 17 00:00:00 2001
From: Arpit Mathur <armathur@microsoft.com>
Date: Mon, 13 Apr 2020 02:08:06 +0000
Subject: [PATCH 2/4] Merged PR 6983: MSRC 54120: XAMLReader.Load used by
 `GetFixedDocumentSequence` method which could lead to code execution [.Net
 Core 3.1] - Missing variant fix

[Bug 1092072](https://devdiv.visualstudio.com/DefaultCollection/DevDiv/_workitems/edit/1092072): MSRC 54120: XAMLReader.Load used by `GetFixedDocumentSequence` method which could lead to code execution [.Net Core 3.1] - Missing variant fix

## **Description**
Loose xaml can contain executable payload e.g. `ObjectDataProvider`. This XAML can be included as part of `XpsDocument`s in their `FixedDocumentSequence` or `FixedPage`.

In WPF, we were allowing `XpsDocument`s to be loaded freely via `XamlReader.Load`.

This exposes an attack vector - when a user downloads an XPS file from the internet for viewing, they could end up executing untrusted code.

The fix is to identify known dangerous `Type`s and limit them from being deserialized during XAML loading. In order to accomplish this, we previously added new non-public overloads to the `XamlReader.Load` method to enable the use of `RestrictiveXamlXmlReader`.`RestrictiveXamlXmlReader` restricts known dangerous `Type`s from being loaded while deserializing xaml.

One of these dangerous `Type`s is `System.Windows.ResourceDictionary`, which is a valid `Type` in XML schema. To allow this valid `Type` we added another non-public overload to the `XamlReader.Load` method which takes an additional parameter, safeTypes, a list of `Type`s which can be loaded safely. We also added a new constructor to the `RestrictiveXamlXmlReader` which takes an additional parameter of safeTypes which are marked as safe to load for this instance of the `RestrictiveXamlXmlReader`.

### **Customer Impact**
Customers would be protected from opening potentially-compromised XPS documents.

### **Regression**
No. This security issue was reported by an external party.

### **Risk - Low**
- This change only affects loading XPS documents.
- The change has been tested well internally.
  - We ran regression tests to ensure nothing else is inadvertently broken.
  - Validated against POC to ensure that the fix works as intended.
---
 .../Documents/XpsS0ValidatingLoader.cs        | 18 ++++++----
 .../Markup/RestrictiveXamlXmlReader.cs        | 14 ++++++++
 .../System/Windows/Markup/XamlReader.cs       | 36 +++++++++++++++----
 3 files changed, 55 insertions(+), 13 deletions(-)

diff --git a/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/XpsS0ValidatingLoader.cs b/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/XpsS0ValidatingLoader.cs
index d3c0af4ec0d..a343260a7b1 100644
--- a/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/XpsS0ValidatingLoader.cs
+++ b/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/XpsS0ValidatingLoader.cs
@@ -59,13 +59,17 @@ internal void Validate(Stream stream, Uri parentUri, ParserContext pc, ContentTy
         /// <returns></returns>
         private object Load(Stream stream, Uri parentUri, ParserContext pc, ContentType mimeType, string rootElement)
         {
-            object obj = null;
+            object obj = null;
+
+            List<Type> safeTypes = new List<Type> { typeof(System.Windows.ResourceDictionary) };
 
             if (!DocumentMode)
             {                       // Loose XAML, just check against schema, don't check content type
                 if (rootElement==null)
-                {
-                    obj = XamlReader.Load(stream, pc);
+                {
+                    XmlReader reader = XmlReader.Create(stream, null, pc);
+                    obj = XamlReader.Load(reader, pc, XamlParseMode.Synchronous, true, safeTypes);
+                    stream.Close();
                 }
             }
             else
@@ -148,10 +152,10 @@ private object Load(Stream stream, Uri parentUri, ParserContext pc, ContentType
                         ;
                 }
                 else
-                {
-                    obj = XamlReader.Load(xpsSchemaValidator.XmlReader,
-                                    pc,
-                                    XamlParseMode.Synchronous);
+                {
+                    obj = XamlReader.Load(xpsSchemaValidator.XmlReader,
+                               pc,
+                               XamlParseMode.Synchronous, true, safeTypes);
                 }
                 _validResources.Pop();
             }
diff --git a/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/RestrictiveXamlXmlReader.cs b/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/RestrictiveXamlXmlReader.cs
index ead76b1da58..cf0937b7751 100644
--- a/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/RestrictiveXamlXmlReader.cs
+++ b/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/RestrictiveXamlXmlReader.cs
@@ -61,6 +61,20 @@ static RestrictiveXamlXmlReader()
         /// </summary>
         public RestrictiveXamlXmlReader(XmlReader xmlReader, XamlSchemaContext schemaContext, XamlXmlReaderSettings settings) : base(xmlReader, schemaContext, settings)
         {
+        }
+
+        /// <summary>
+        /// Builds the restricted set based on RestrictedTypes that have already been loaded but adds the list of Types passed in in safeTypes to the instance of _safeTypesSet
+        /// </summary>
+        internal RestrictiveXamlXmlReader(XmlReader xmlReader, XamlSchemaContext schemaContext, XamlXmlReaderSettings settings, List<Type> safeTypes) : base(xmlReader, schemaContext, settings)
+        {
+            if (safeTypes != null)
+            {
+                foreach (Type safeType in safeTypes)
+                {
+                    _safeTypesSet.Add(safeType);
+                }
+            }
         }
 
         /// <summary>
diff --git a/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/XamlReader.cs b/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/XamlReader.cs
index 0e76c83d435..5b4e2311053 100644
--- a/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/XamlReader.cs
+++ b/src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/XamlReader.cs
@@ -13,7 +13,8 @@
 using System.IO.Packaging;
 using System.Windows;
 using System.ComponentModel;
-using System.Collections;
+using System.Collections;
+using System.Collections.Generic;
 using System.Diagnostics;
 using System.Reflection;
 
@@ -744,10 +745,33 @@ internal static object Load(
         /// RestrictiveXamlXmlReader to restrict instantiation of potentially dangerous types</param>
         /// <returns>object root generated after xml parsed</returns>
         internal static object Load(
-        XmlReader reader,
-        ParserContext parserContext,
-        XamlParseMode parseMode,
-        bool useRestrictiveXamlReader)
+           XmlReader reader,
+           ParserContext parserContext,
+           XamlParseMode parseMode,
+           bool useRestrictiveXamlReader)
+        {
+            return Load(reader, parserContext, parseMode, useRestrictiveXamlReader, null);
+        }
+
+        /// <summary>
+        /// Reads XAML from the passed stream, building an object tree and returning the
+        /// root of that tree.  Wrap a CompatibilityReader with another XmlReader that
+        /// uses the passed reader settings to allow validation of xaml.
+        /// </summary>
+        /// <param name="reader">XmlReader to use.  This is NOT wrapped by any
+        ///  other reader</param>
+        /// <param name="context">Optional parser context.  May be null </param>
+        /// <param name="parseMode">Sets synchronous or asynchronous parsing</param>
+        /// <param name="useRestrictiveXamlReader">Whether or not this method should use 
+        /// RestrictiveXamlXmlReader to restrict instantiation of potentially dangerous types</param>
+        /// <param name="safeTypes">List of known safe Types to be allowed through the RestrictiveXamlXmlReader</param>
+        /// <returns>object root generated after xml parsed</returns>
+        internal static object Load(
+            XmlReader reader,
+            ParserContext parserContext,
+            XamlParseMode parseMode,
+            bool useRestrictiveXamlReader,
+            List<Type> safeTypes)
         {
             if (parseMode == XamlParseMode.Uninitialized ||
                 parseMode == XamlParseMode.Asynchronous)
@@ -805,7 +829,7 @@ internal static object Load(
 
                 XamlSchemaContext schemaContext = parserContext.XamlTypeMapper != null ?
                     parserContext.XamlTypeMapper.SchemaContext : GetWpfSchemaContext();
-                System.Xaml.XamlXmlReader xamlXmlReader = (useRestrictiveXamlReader) ? new RestrictiveXamlXmlReader(reader, schemaContext, settings):
+                System.Xaml.XamlXmlReader xamlXmlReader = (useRestrictiveXamlReader) ? new RestrictiveXamlXmlReader(reader, schemaContext, settings, safeTypes) :
                                                                                        new System.Xaml.XamlXmlReader(reader, schemaContext, settings);
                 root = Load(xamlXmlReader, parserContext);
                 reader.Close();

From 847da8feefa286affd3f458fc3fdcedcd0d93869 Mon Sep 17 00:00:00 2001
From: DotNet Bot <dn-bot@microsoft.com>
Date: Mon, 13 Apr 2020 23:52:48 +0000
Subject: [PATCH 3/4] Merge pull request 7274 from
 darc-internal/release/3.1-720489a7-5c40-41ec-ae19-7278e25b4774 into
 internal/release/3.1

---
 eng/Version.Details.xml | 4 ++--
 eng/Versions.props      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
index ce755143d99..786de4834a2 100644
--- a/eng/Version.Details.xml
+++ b/eng/Version.Details.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
   <ProductDependencies>
-    <Dependency Name="Microsoft.Private.Winforms" Version="4.8.1-servicing.20202.2">
+    <Dependency Name="Microsoft.Private.Winforms" Version="4.8.1-servicing.20213.2">
       <Uri>https://github.com/dotnet/winforms</Uri>
-      <Sha>8b60caf6234fd40d51f2593dbaa474e1ffab0bff</Sha>
+      <Sha>ee014f89c09c1804af960c26279c46188963c2b6</Sha>
     </Dependency>
   </ProductDependencies>
   <ToolsetDependencies>
diff --git a/eng/Versions.props b/eng/Versions.props
index 794c439f4f1..3bb02cc7ec8 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -18,7 +18,7 @@
   </PropertyGroup>
   <!-- NuGet Package Versions -->
   <PropertyGroup>
-    <MicrosoftPrivateWinformsVersion>4.8.1-servicing.20202.2</MicrosoftPrivateWinformsVersion>
+    <MicrosoftPrivateWinformsVersion>4.8.1-servicing.20213.2</MicrosoftPrivateWinformsVersion>
   </PropertyGroup>
   <!-- Packages that come from https://github.com/dotnet/coreclr -->
   <PropertyGroup>

From cfb5c1c1ca14c12d23d797117aadf5750def8914 Mon Sep 17 00:00:00 2001
From: Ryland Alaniz <ryalan@microsoft.com>
Date: Thu, 11 Jun 2020 11:33:05 -0700
Subject: [PATCH 4/4] Update branding for 3.1.6 (includes the merge from
 internal/release/3.1: 847da8feefa286affd3f458fc3fdcedcd0d93869)

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 1a546f3805a..22ce2e7ad64 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -9,7 +9,7 @@
       Version prefix used by a few projects like Project Templates
       Revision portion of Major.Minor.Revision usually updated every release
     -->
-    <TraditionalVersionPrefix>3.1.5</TraditionalVersionPrefix>
+    <TraditionalVersionPrefix>3.1.6</TraditionalVersionPrefix>
     <PreReleaseVersionLabel>servicing</PreReleaseVersionLabel>
     <DotNetUseShippingVersions>true</DotNetUseShippingVersions>
     <AssemblyVersion>4.0.0.0</AssemblyVersion>