[Backport 8.0] [IIS] Manually parse exe bitness (#61894) #62037
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BrennanConroy
added
the
Servicing-consider
BrennanConroy
added
area-networking
danmoseley
approved these changes
May 21, 2025
dotnet-policy-service
bot
added
the
pending-ci-rerun
|
/azp run |
wtgodbe
removed
the
pending-ci-rerun
|
Azure Pipelines successfully started running 3 pipeline(s). |
This was referenced Jul 21, 2025
Closed
This was referenced Oct 1, 2025
Bump Microsoft.AspNetCore.Identity.EntityFrameworkCore from 8.0.10 to 8.0.20
jviquez90/EshopOnWeb#14
Open
Closed
microsoft-github-policy-service bot
pushed a commit
to Azure/bicep
that referenced
this pull request
Oct 5, 2025
#18209) [//]: # (dependabot-start)⚠️ **Dependabot is rebasing this PR**⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Updated [Microsoft.AspNetCore.Components.WebAssembly](https://github.com/dotnet/aspnetcore) from 8.0.15 to 8.0.20. <details> <summary>Release notes</summary> _Sourced from [Microsoft.AspNetCore.Components.WebAssembly's releases](https://github.com/dotnet/aspnetcore/releases)._ ## 8.0.20 [Release](https://github.com/dotnet/core/releases/tag/v8.0.20) ## What's Changed * Update branding to 8.0.20 by @vseanreesermsft in dotnet/aspnetcore#63106 * [release/8.0] (deps): Bump src/submodules/googletest from `c67de11` to `373af2e` by @dependabot[bot] in dotnet/aspnetcore#63038 * [release/8.0] Dispose the certificate chain elements with the chain by @MackinnonBuck in dotnet/aspnetcore#62994 * [release/8.0] Update SignalR Redis tests to use internal Docker Hub mirror by @github-actions[bot] in dotnet/aspnetcore#63117 * [release/8.0] [SignalR] Don't throw for message headers in Java client by @github-actions[bot] in dotnet/aspnetcore#62784 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#63152 * [release/8.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63188 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63189 **Full Changelog**: dotnet/aspnetcore@v8.0.19...v8.0.20 ## 8.0.18 [Release](https://github.com/dotnet/core/releases/tag/v8.0.18) ## What's Changed * Update branding to 8.0.18 by @vseanreesermsft in dotnet/aspnetcore#62241 * [release/8.0] Update Alpine helix references by @github-actions in dotnet/aspnetcore#62243 * [release/8.0] (deps): Bump src/submodules/googletest from `04ee1b4` to `e9092b1` by @dependabot in dotnet/aspnetcore#62201 * [8.0] Delete src/arcade directory by @akoeplinger in dotnet/aspnetcore#61994 * [Backport 8.0] [IIS] Manually parse exe bitness (#61894) by @BrennanConroy in dotnet/aspnetcore#62037 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#62006 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61944 * [release/8.0] Associate tagged keys with entries so replacements are not evicted by @github-actions in dotnet/aspnetcore#62247 * [release/8.0] Block test that is failing after switching to latest-chrome by @github-actions in dotnet/aspnetcore#62284 * backport(net8.0): http.sys on-demand TLS client hello retrieval by @DeagleGross in dotnet/aspnetcore#62290 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#62302 **Full Changelog**: dotnet/aspnetcore@v8.0.17...v8.0.18 ## 8.0.17 ## Bug Fixes - **Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy** ([#61623](dotnet/aspnetcore#61623)) The Forwarded Headers Middleware now ignores `X-Forwarded-Headers` sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence the forwarded headers, preventing potential spoofing or misrouting of requests. ## Dependency Updates - **Update dependencies from dotnet/arcade** ([#61832](dotnet/aspnetcore#61832)) This update brings in the latest changes from the dotnet/arcade repository, ensuring that ASP.NET Core benefits from recent improvements, bug fixes, and security patches in the shared build infrastructure. - **Bump src/submodules/googletest from `52204f7` to `04ee1b4`** ([#61761](dotnet/aspnetcore#61761)) The GoogleTest submodule has been updated to a newer commit, providing the latest testing features, bug fixes, and performance improvements for the project's C++ test components. ## Miscellaneous - **Update branding to 8.0.17** ([#61830](dotnet/aspnetcore#61830)) The project version branding has been updated to reflect the new 8.0.17 release, ensuring consistency across build outputs and documentation. - **Merging internal commits for release/8.0** ([#61924](dotnet/aspnetcore#61924)) This change merges various internal commits into the release/8.0 branch, incorporating minor fixes, documentation updates, and other non-user-facing improvements to keep the release branch up to date. --- This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests. **Full Changelog**: dotnet/aspnetcore@v8.0.16...v8.0.17 ## 8.0.16 [Release](https://github.com/dotnet/core/releases/tag/v8.0.16) ## What's Changed * Update branding to 8.0.16 by @vseanreesermsft in dotnet/aspnetcore#61283 * [release/8.0] (deps): Bump src/submodules/googletest from `24a9e94` to `52204f7` by @dependabot in dotnet/aspnetcore#61260 * [release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#61281 * [release/8.0] Upgrade to Ubuntu 22 by @wtgodbe in dotnet/aspnetcore#61216 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60901 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#60926 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61404 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#61398 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61411 * Revert "Revert "[release/8.0] Update remnants of azureedge.net"" by @wtgodbe in dotnet/aspnetcore#60352 * [release/8.0] Fix preserving messages for stateful reconnect with backplane by @BrennanConroy in dotnet/aspnetcore#61375 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#61442 * fetch TLS client hello message from HTTP.SYS by @BrennanConroy in dotnet/aspnetcore#61494 **Full Changelog**: dotnet/aspnetcore@v8.0.15...v8.0.16 Commits viewable in [compare view](dotnet/aspnetcore@v8.0.15...v8.0.20). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/18209) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Oct 6, 2025
Closed
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #61894
[IIS] Manually parse exe bitness
Description
In the AspNetCoreModule for IIS we have a check that dotnet.exe is the same architecture as the worker process (w3wp.exe). We used the windows function
GetBinaryTypeWto determine this information, which while correct has raised some concerns since it loads the exe into executable space.This PR changes the code to manually parse the exe file headers which is a well known format and use that information for the bitness check. This avoids loading the exe in executable space and still lets us check that the bitness matches.
Customer Impact
We unnecessarily load the specified exe into executable space.
Regression?
Risk
Updating a non-critical check, so if it checks incorrectly it will only result in slightly worse program diagnosability on app run failure. Also did a bunch of testing on the code to make sure it shouldn't be possible to throw which would be problematic.
Verification
Packaging changes reviewed?