docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon dotnet

[Breaking change]: XmlSecureResolver obsolete as of .NET 7 RC1

Open GrabYourPitchforks opened this issue 2 years ago • 0 comments

Breaking change notice

The type System.Xml.XmlSecureResolver is obsolete as warning. The method System.Xml.XmlSecureResolver.GetEntity unconditionally throws XmlException.

Description

The method System.Xml.XmlSecureResolver.GetEntity will unconditionally throw an XmlException at runtime. If your application utilizes XmlSecureResolver and you attempt to resolve an entity through it, entity resolution will fail with an exception.

Additionally, the entirety of the type System.Xml.XmlSecureResolver is obsolete as warning. All references to this type will inject a SYSLIB0047 warning into your build. If you have enabled warnings as errors, this will cause a build break if your application references XmlSecureResolver.

using System.Xml;

// Compiler warning SYSLIB0047: XmlSecureResolver type is obsolete.
XmlResolver resolver = new XmlSecureResolver(
    resolver: new XmlUrlResolver(),
    securityUrl: "https://www.example.com/");

// Call to XmlSecureResolver.GetEntity below throws XmlException at runtime.
object entity = resolver.GetEntity(
    absoluteUri: new Uri("https://www.example.com/some-entity"),
    role: null,
    ofObjectToReturn: null);

Version introduced

.NET 7 RC1

Previous behavior

In .NET Framework, XmlSecureResolver.GetEntity constructs a Code Access Security (CAS) sandbox to restrict the external entity resolution process. If policy is violated, SecurityException is thrown.

In .NET Core 3.1, .NET 6, and .NET 7 (prior to RC1), XmlSecureResolver.GetEntity does not restrict external entity resolution at all. External entity resolution is allowed to proceed with no limitations.

New behavior

In .NET 7 RC1, XmlSecureResolver.GetEntity unconditionally throws XmlException. It does not construct a CAS sandbox and does not attempt to resolve the external entity.

Type of breaking change

Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.

Reason for change

This change improves the security of the .NET ecosystem. This moves the behavior of XmlSecureResolver from fail-dangerous (always perform resolution) to fail-safe (never perform resolution) when running on .NET 7.

Recommended action

Consider instead using the newly introduced XmlResolver.ThrowingResolver static property. That property provides an XmlResolver instance which explicitly states "I do not want to allow any external entity resolution to occur."

using System.Xml;

// BAD: Do not use XmlSecureResolver.
// XmlResolver resolver = new XmlSecureResolver(
//     resolver: new XmlUrlResolver(),
//     securityUrl: "https://www.example.com/");

// GOOD: Use XmlResolver.ThrowingResolver instead.
XmlResolver resolver = XmlResolver.ThrowingResolver;

The documentation for the ThrowingResolver property also provides sample code for bringing the same behavior to projects targeting earlier versions of .NET.

Feature area

XML, XSLT

Affected APIs

  • The type System.Xml.XmlSecureResolver (source breaking change)
  • The method System.Xml.XmlSecureResolver.GetEntity (runtime behavioral breaking change)

GrabYourPitchforks avatar Aug 10 '22 04:08 GrabYourPitchforks