ILSpy icon indicating copy to clipboard operation
ILSpy copied to clipboard

Published 20 hours ago verified publisher icon icsharpcode

Resources deserialization

Open miloush opened this issue 2 years ago • 2 comments

<serialized> entries in Other Resources when decompiling .resources are useless. The values deserialization was removed as part of #1196 to address security vulnerabilities involved with arbitrary deserialization.

Could we not let the decision about what is trustworthy to deserialize and what is not to the user? Maybe we don't need to manage trustworthy locations or assemblies, but simply have an explicit command to deserialize the resources, subject to a warning prompt.

miloush avatar Jun 24 '23 14:06 miloush

Are you talking about the ILSpy UI or about the whole project export? AFAIK all resources should be properly translated to resx when using WholeProjectDecompiler or the "Save project" feature in ILSpy.

siegfriedpammer avatar Jun 24 '23 20:06 siegfriedpammer

Yes sorry I am talking about the ILSpy UI:

ILSpy 3.2 RC: image

After #1196 (intentionally): image

miloush avatar Jun 25 '23 12:06 miloush