-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BinaryFormatter is obsolete in AspNet Core in .net5.0 #2603
Comments
Well according to docs you mentioned you can still use it with ASP.NET. You just need to update your csproj file:
<PropertyGroup>
<TargetFramework>net5.0</TargetFramework>
<!-- Warning: Setting the following switch is *NOT* recommended in web apps. -->
<EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
</PropertyGroup> |
Yes, they've introduced that tag in order for legacy applications to still run until all the references to BinaryFormatter in the depedencies are replaced, but it's still something they strongly DON'T recommend, since BinaryFormatter has security issues and it has been marked as deprecated in .net5+. |
It could be replaced with one of the alternatives. NHibernate uses |
I know that a workaround exists, and I'm currently forced to adopt it, but are you suggesting that I should disable (for a long-term) an application-wide block of a high-risk OWASP reported vulnerability, implemented in a core class that is reported as deprecated (and I expect it to be removed in future versions of the .net sdk)? |
Do we actually need to disable that block for running NHibernate on .Net 5? I think it is not even needed. The application will run just fine provided it does not use the few features of NHibernate which use So I do not see a reason for enabling binary formatter in .Net 5 if your code does not use any feature requiring binary serialization. That should not prevent using NHibernate at all, since it seems to be a runtime check triggered only on actual use of a binary formatter. |
Unfortunately the asp.net app won't start at all, whether you use a feature requiring binary serialization or not (BTW, I don't use it), throwing the following exception (an InnerException thrown inside a FluentConfigurationException) when calling BuildConfiguration(): "NotSupportedException: BinaryFormatter serialization and deserialization are disabled within this application. See https://aka.ms/binaryformatter for more information." I suppose the only fact that you reference (somewhere in your code) the BinaryFormatter class causes the app to block at the startup. |
I doubt it. Can you share full stack trace? I suspect it's FluentNhibernate to blame and |
Ok, it seems you're right. Here's the full stacktrace.
|
While FluentNhibernate's use of BinaryFormater is more obvious as it fails on startup, the usages in NHibernate should still be changed. It's used in 5 places: |
Here is the same issue in the FluentNHibernate repo: nhibernate/fluent-nhibernate#479 |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Why? Can you elaborate on this?
|
It would be better to change to an implementation that doesn't use an unsafe part of the .net API. There are alternatives listed here: https://aka.ms/binaryformatter are none of those possible to use? |
There are not any such implementations, as you could infer by reading your link. Having some code referencing those unsafe types does not cause the project to be unsafe, since the default in .Net 5 will be to block the execution of those unsafe features. People trying to use them will get appropriate warning, and that will be their responsibility and freedom if they choose to use them and disable the block for doing this. This change in .Net 5 means binary serialization should no more be used. The two types using it in NHibernate are to be used only by those needing binary serialization. So the only action we should take about them is to flag them as obsolete once targeting .Net 5, and eventually offer some alternative if needed. By example, |
This comment has been minimized.
This comment has been minimized.
Still it's not working |
I had this error using the package NHibernate.Caches.StackExchangeRedis and I solved it by configuring JSON Serializer instead (package NHibernate.Caches.Util.JsonSerializer). |
AspNet Core in .net5.0 applications won't start since BinaryFormatter use is prohibited, as stated here.
Please consider replacing BinaryFormatter with something "AspNet Core in 5.0" friendly.
It's something AspNet Core related, since .net5.0 console applications don't have such an issue.
The text was updated successfully, but these errors were encountered: