From 1fa5971dbd2f181d588679f4e44713830b3136da Mon Sep 17 00:00:00 2001
From: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
Date: Tue, 2 May 2023 13:35:33 -0700
Subject: [PATCH 1/3] update NotSupportException info for BinaryFormatter
(de)serialize
---
.../BinaryFormatter.xml | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml b/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
index 40bf2d638e2..54049df2a0d 100644
--- a/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
+++ b/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
@@ -494,7 +494,7 @@ An error occurred while deserializing an object from the input stream.
The property may contain more information about the root cause.
The caller does not have the required permission.
- ASP.NET Core 5 and later: Always thrown unless functionality is re-enabled in the project file. For more information, see Resolving BinaryFormatter obsoletion and disablement errors.
+ ASP.NET Core 5 and later and .NET 8 and later: In all cases except Windows Forms and WPF projects. For more information, see Deserialization risks in use of BinaryFormatter and related types.
@@ -542,10 +542,11 @@ The property may contain more information abou
property may contain more information abou
@@ -758,7 +760,7 @@ The property may contain more information abou
The is null.
An error has occurred during serialization, such as if an object in the parameter is not marked as serializable.
The caller does not have the required permission.
- ASP.NET Core 5 and later: Always thrown unless functionality is re-enabled in the project file. For more information, see Resolving BinaryFormatter obsoletion and disablement errors.
+ ASP.NET Core 5 and later and .NET 8 and later: In all cases except Windows Forms and WPF projects. For more information, see Deserialization risks in use of BinaryFormatter and related types.
From c9180080d1626ddb5a9d4be258ebaf399574d9d5 Mon Sep 17 00:00:00 2001
From: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
Date: Wed, 28 Aug 2024 13:36:20 -0700
Subject: [PATCH 2/3] update for .net 9
---
.../BinaryFormatter.xml | 322 +++++++++---------
1 file changed, 161 insertions(+), 161 deletions(-)
diff --git a/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml b/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
index 54049df2a0d..3f7543f5cdc 100644
--- a/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
+++ b/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
@@ -58,64 +58,65 @@
Serializes and deserializes an object, or an entire graph of connected objects, in binary format.
- and classes implement the interface to support remote procedure calls (RPCs), and the interface (inherited by the ) to support serialization of a graph of objects. The class also supports RPCs with objects, without using the functionality.
-
- During RPCs, the interface allows the specification of two separate object graphs: the graph of objects to serialize, and an additional graph that contains an array of header objects that convey information about the remote function call (for example, transaction ID or a method signature).
-
- RPCs that use the separate into two distinct parts: method calls, which are sent to the server with the remote object that contains the method called, and method responses, which are sent from the server to the client with the status and response information from the called method.
-
- During serialization of a method call the first object of the object graph must support the interface. To deserialize a method call, use the method with the parameter. The remoting infrastructure uses the delegate to produce an object that supports the interface. When the invokes the delegate, it returns the URI of the remote object with the method that is being called. The first object in the graph returned supports the interface.
-
- The serialization procedure for a method response is identical to that of a method call, except the first object of the object graph must support the interface. To deserialize a method response, use the method. To save time, details about the caller object are not sent to the remote object during the method call. These details are instead obtained from the original method call, which is passed to the method in the parameter. The first object in the graph returned by the method supports the interface.
-
+The in-box implementation of BinaryFormatter was removed in .NET 9. For more information, see [BinaryFormatter migration guide](/dotnet/standard/serialization/binaryformatter-migration-guide/).
+
+ The and classes implement the interface to support remote procedure calls (RPCs), and the interface (inherited by the ) to support serialization of a graph of objects. The class also supports RPCs with objects, without using the functionality.
+
+ During RPCs, the interface allows the specification of two separate object graphs: the graph of objects to serialize, and an additional graph that contains an array of header objects that convey information about the remote function call (for example, transaction ID or a method signature).
+
+ RPCs that use the separate into two distinct parts: method calls, which are sent to the server with the remote object that contains the method called, and method responses, which are sent from the server to the client with the status and response information from the called method.
+
+ During serialization of a method call the first object of the object graph must support the interface. To deserialize a method call, use the method with the parameter. The remoting infrastructure uses the delegate to produce an object that supports the interface. When the invokes the delegate, it returns the URI of the remote object with the method that is being called. The first object in the graph returned supports the interface.
+
+ The serialization procedure for a method response is identical to that of a method call, except the first object of the object graph must support the interface. To deserialize a method response, use the method. To save time, details about the caller object are not sent to the remote object during the method call. These details are instead obtained from the original method call, which is passed to the method in the parameter. The first object in the graph returned by the method supports the interface.
+
> [!IMPORTANT]
-> Using binary serialization to deserialize untrusted data can lead to security risks. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs) and the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
-
-## Unpaired Surrogates
- Any unpaired surrogate characters are lost in binary serialization. For example, the following string contains a high surrogate Unicode character `(\ud800`) in between the two `Test` words:
-
- `Test\ud800Test`
-
- Before serialization, the byte array of the string is as follows:
-
-|Byte Array Value|Character|
-|----------------------|---------------|
-|84|T|
-|101|e|
-|115|s|
-|116|t|
-|55296|\ud800|
-|84|T|
-|101|e|
-|115|s|
-|116|t|
-
- After deserialization, the high surrogate Unicode character is lost:
-
-|Byte Array Value|Character|
-|----------------------|---------------|
-|84|T|
-|101|e|
-|115|s|
-|116|t|
-|84|T|
-|101|e|
-|115|s|
-|116|t|
-
-
-
-## Examples
+> Using binary serialization to deserialize untrusted data can lead to security risks. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs) and the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
+
+## Unpaired surrogates
+
+Any unpaired surrogate characters are lost in binary serialization. For example, the following string contains a high surrogate Unicode character `(\ud800`) in between the two `Test` words:
+
+`Test\ud800Test`
+
+Before serialization, the byte array of the string is as follows:
+
+| Byte array value | Character |
+|------------------|-----------|
+| 84 | T |
+| 101 | e |
+| 115 | s |
+| 116 | t |
+| 55296 | \ud800 |
+| 84 | T |
+| 101 | e |
+| 115 | s |
+| 116 | t |
+
+ After deserialization, the high surrogate Unicode character is lost:
+
+| Byte array value | Character |
+|------------------|-----------|
+| 84 | T |
+| 101 | e |
+| 115 | s |
+| 116 | t |
+| 84 | T |
+| 101 | e |
+| 115 | s |
+| 116 | t |
+
+## Examples
:::code language="cpp" source="~/snippets/cpp/VS_Snippets_Remoting/BinaryFormatterClass Example/CPP/binaryformatter.cpp" id="Snippet1":::
:::code language="csharp" source="~/snippets/csharp/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter/Overview/binaryformatter.cs" id="Snippet1":::
- :::code language="vb" source="~/snippets/visualbasic/VS_Snippets_Remoting/BinaryFormatterClass Example/VB/binaryformatter.vb" id="Snippet1":::
-
+ :::code language="vb" source="~/snippets/visualbasic/VS_Snippets_Remoting/BinaryFormatterClass Example/VB/binaryformatter.vb" id="Snippet1":::
+
]]>
@@ -163,23 +164,21 @@
Initializes a new instance of the class with default values.
- object as follows:
-
-|Property Type|Condition|
-|-------------------|---------------|
-||`null`|
-||A with a value that indicates that serialized data can be transmitted to or received from any of the other contexts. ()|
-
-
-
-## Examples
+ object as follows:
+
+|Property Type|Condition|
+|-------------------|---------------|
+||`null`|
+||A with a value that indicates that serialized data can be transmitted to or received from any of the other contexts. ()|
+
+## Examples
:::code language="cpp" source="~/snippets/cpp/VS_Snippets_Remoting/BinaryFormatterClass Example/CPP/binaryformatter.cpp" id="Snippet1":::
:::code language="csharp" source="~/snippets/csharp/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter/Overview/binaryformatter.cs" id="Snippet1":::
- :::code language="vb" source="~/snippets/visualbasic/VS_Snippets_Remoting/BinaryFormatterClass Example/VB/binaryformatter.vb" id="Snippet1":::
-
+ :::code language="vb" source="~/snippets/visualbasic/VS_Snippets_Remoting/BinaryFormatterClass Example/VB/binaryformatter.vb" id="Snippet1":::
+
]]>
@@ -224,13 +223,13 @@
The source and destination for the serialized data.
Initializes a new instance of the class with a given surrogate selector and streaming context.
- .
-
- The serialization or deserialization process uses the specified to search for surrogates that are registered for the object types you want to deserialize. Surrogates are helpers that serialize and deserialize objects of specific classes. The default cannot handle the serialization of objects that derive from the for remoting purposes. In a remoting situation the specified replaces the object derived from with a object that is serialized by the specified surrogate selector. Therefore, if you want to use remote objects, set the `selector` parameter to an instance of . If you do not need surrogates, set the `selector` parameter to be `null`.
-
+ .
+
+ The serialization or deserialization process uses the specified to search for surrogates that are registered for the object types you want to deserialize. Surrogates are helpers that serialize and deserialize objects of specific classes. The default cannot handle the serialization of objects that derive from the for remoting purposes. In a remoting situation the specified replaces the object derived from with a object that is serialized by the specified surrogate selector. Therefore, if you want to use remote objects, set the `selector` parameter to an instance of . If you do not need surrogates, set the `selector` parameter to be `null`.
+
]]>
@@ -316,17 +315,17 @@
(Insecure) Gets or sets an object of type that controls the binding of a serialized object to a type.
The serialization binder to use with this formatter.
-
@@ -372,11 +371,11 @@
Gets or sets the for this formatter.
The streaming context to use with this formatter.
- provides an enumeration that describes the source and the destination for a given serialized stream, as well as a way for serialization to retain that context and an additional caller-defined context.
-
+ provides an enumeration that describes the source and the destination for a given serialized stream, as well as a way for serialization to retain that context and an additional caller-defined context.
+
]]>
@@ -391,10 +390,10 @@
Deserializes a stream into an object graph.
-
@@ -467,34 +466,35 @@
Deserializes the specified stream into an object graph.
The top (root) of the object graph.
-
The is .
- The supports seeking, but its length is 0.
-
- -or-
-
+ The supports seeking, but its length is 0.
+
+ -or-
+
The input stream does not represent a well-formed serialized payload.
-
+
-or-
-
+
An error occurred while deserializing an object from the input stream.
-
+
The property may contain more information about the root cause.
The caller does not have the required permission.
- ASP.NET Core 5 and later and .NET 8 and later: In all cases except Windows Forms and WPF projects. For more information, see Deserialization risks in use of BinaryFormatter and related types.
+ ASP.NET Core 5-8: Always thrown unless functionality is re-enabled in the project file. For more information, see Resolving BinaryFormatter obsoletion and disablement errors.
+ .NET 9 and later versions: In all cases. For more information, see BinaryFormatter migration guide.
@@ -540,23 +540,23 @@ The property may contain more information abou
Deserializes the specified stream into an object graph. The provided handles any headers in that stream.
The deserialized object or the top object (root) of the object graph.
-
The is .
- The supports seeking, but its length is 0.
-
- -or-
-
+ The supports seeking, but its length is 0.
+
+ -or-
+
The target type is a , but the value is out of range of the type.
The caller does not have the required permission.
@@ -603,14 +603,14 @@ For deserialization to succeed, the current position in the stream must be at th
Deserializes a response to a remote method call from the provided .
The deserialized response to the remote method call.
-
The is .
@@ -661,14 +661,13 @@ For deserialization to succeed, the current position in the stream must be at th
Gets or sets the of automatic deserialization the performs.
The that represents the current automatic deserialization level.
- and (the default). For details about deserialization levels, see [Automatic Deserialization in .NET Framework Remoting](https://docs.microsoft.com/previous-versions/dotnet/netframework-4.0/5dxse167(v=vs.100)).
-
+ and (the default).
+
]]>
- Automatic Deserialization in .NET Framework Remoting
@@ -744,23 +743,24 @@ For deserialization to succeed, the current position in the stream must be at th
The object at the root of the graph to serialize.
Serializes the object, or graph of objects with the specified top (root), to the given stream.
-
- The is .
-
- -or-
-
+ The is .
+
+ -or-
+
The is null.
An error has occurred during serialization, such as if an object in the parameter is not marked as serializable.
The caller does not have the required permission.
- ASP.NET Core 5 and later and .NET 8 and later: In all cases except Windows Forms and WPF projects. For more information, see Deserialization risks in use of BinaryFormatter and related types.
+ ASP.NET Core 5-8: Always thrown unless functionality is re-enabled in the project file. For more information, see Resolving BinaryFormatter obsoletion and disablement errors.
+ .NET 9 and later versions: In all cases. For more information, see BinaryFormatter migration guide.
@@ -807,13 +807,13 @@ For deserialization to succeed, the current position in the stream must be at th
Remoting headers to include in the serialization. Can be .
Serializes the object, or graph of objects with the specified top (root), to the given stream attaching the provided headers.
-
The is .
@@ -862,11 +862,11 @@ For deserialization to succeed, the current position in the stream must be at th
Gets or sets a that controls type substitution during serialization and deserialization.
The surrogate selector to use with this formatter.
- to generate instances for objects that derive from .
-
+ to generate instances for objects that derive from .
+
]]>
@@ -956,15 +956,15 @@ For deserialization to succeed, the current position in the stream must be at th
Deserializes the specified stream into an object graph. The provided handles any headers in that stream.
The deserialized object or the top object (root) of the object graph.
-
The is .
@@ -1018,13 +1018,13 @@ For deserialization to succeed, the current position in the stream must be at th
Deserializes a response to a remote method call from the provided .
The deserialized response to the remote method call.
-
From 0bee11c5bfdd3853af94e23151d1a95f168cf513 Mon Sep 17 00:00:00 2001
From: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
Date: Wed, 28 Aug 2024 13:41:18 -0700
Subject: [PATCH 3/3] remove examples
---
.../BinaryFormatter.xml | 5 -----
1 file changed, 5 deletions(-)
diff --git a/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml b/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
index f1f4d4e9cce..be69be3a7ff 100644
--- a/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
+++ b/xml/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter.xml
@@ -116,11 +116,6 @@ Before serialization, the byte array of the string is as follows:
| 115 | s |
| 116 | t |
-## Examples
- :::code language="cpp" source="~/snippets/cpp/VS_Snippets_Remoting/BinaryFormatterClass Example/CPP/binaryformatter.cpp" id="Snippet1":::
- :::code language="csharp" source="~/snippets/csharp/System.Runtime.Serialization.Formatters.Binary/BinaryFormatter/Overview/binaryformatter.cs" id="Snippet1":::
- :::code language="vb" source="~/snippets/visualbasic/VS_Snippets_Remoting/BinaryFormatterClass Example/VB/binaryformatter.vb" id="Snippet1":::
-
]]>