Merge pull request #3019 from arpitmathur/master

Fixing Microsoft Security Advisory CVE-2020-0605 : .NET Core Remote Code Execution Vulnerability- Variant (.Net 5.0)

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Documents/XpsS0ValidatingLoader.cs

@@ -60,12 +60,15 @@ internal void Validate(Stream stream, Uri parentUri, ParserContext pc, ContentTy
         private object Load(Stream stream, Uri parentUri, ParserContext pc, ContentType mimeType, string rootElement)
         {
             object obj = null;
+            List<Type> safeTypes = new List<Type> { typeof(System.Windows.ResourceDictionary) };
 
             if (!DocumentMode)
             {                       // Loose XAML, just check against schema, don't check content type
                 if (rootElement==null)
                 {
-                    obj = XamlReader.Load(stream, pc);
+                    XmlReader reader = XmlReader.Create(stream, null, pc);
+                    obj = XamlReader.Load(reader, pc, XamlParseMode.Synchronous, true, safeTypes);
+                    stream.Close();
                 }
             }
             else
@@ -151,7 +154,7 @@ private object Load(Stream stream, Uri parentUri, ParserContext pc, ContentType
                 {
                     obj = XamlReader.Load(xpsSchemaValidator.XmlReader,
                                     pc,
-                                    XamlParseMode.Synchronous);
+                                    XamlParseMode.Synchronous, true, safeTypes);
                 }
                 _validResources.Pop();
             }

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/RestrictiveXamlXmlReader.cs

@@ -64,6 +64,20 @@ public RestrictiveXamlXmlReader(XmlReader xmlReader, XamlSchemaContext schemaCon
         }
 
         /// <summary>
+        /// Builds the restricted set based on RestrictedTypes that have already been loaded but adds the list of Types passed in in safeTypes to the instance of _safeTypesSet
+        /// </summary>
+        internal RestrictiveXamlXmlReader(XmlReader xmlReader, XamlSchemaContext schemaContext, XamlXmlReaderSettings settings, List<Type> safeTypes) : base(xmlReader, schemaContext, settings)
+        {
+            if (safeTypes != null)
+            {
+                foreach (Type safeType in safeTypes)
+                {
+                    _safeTypesSet.Add(safeType);
+                }
+            }
+        }
+        /// <summary>
+
         /// Calls the base Read method to extract a node from the Xaml parser, if it's found to be a StartObject node for a type we want to restrict we skip that node.
         /// </summary>
         /// <returns>

src/Microsoft.DotNet.Wpf/src/PresentationFramework/System/Windows/Markup/XamlReader.cs

@@ -14,6 +14,7 @@
 using System.Windows;
 using System.ComponentModel;
 using System.Collections;
+using System.Collections.Generic;
 using System.Diagnostics;
 using System.Reflection;
 
@@ -836,6 +837,29 @@ public static XamlSchemaContext GetWpfSchemaContext()
         ParserContext parserContext,
         XamlParseMode parseMode,
         bool useRestrictiveXamlReader)
+        {
+            return Load(reader, parserContext, parseMode, useRestrictiveXamlReader, null);
+        }
+
+        /// <summary>
+        /// Reads XAML from the passed stream, building an object tree and returning the
+        /// root of that tree.  Wrap a CompatibilityReader with another XmlReader that
+        /// uses the passed reader settings to allow validation of xaml.
+        /// </summary>
+        /// <param name="reader">XmlReader to use.  This is NOT wrapped by any
+        ///  other reader</param>
+        /// <param name="context">Optional parser context.  May be null </param>
+        /// <param name="parseMode">Sets synchronous or asynchronous parsing</param>
+        /// <param name="useRestrictiveXamlReader">Whether or not this method should use 
+        /// RestrictiveXamlXmlReader to restrict instantiation of potentially dangerous types</param>
+        /// <param name="safeTypes">List of known safe Types to be allowed through the RestrictiveXamlXmlReader</param>
+        /// <returns>object root generated after xml parsed</returns>
+        internal static object Load(
+            XmlReader reader,
+            ParserContext parserContext,
+            XamlParseMode parseMode,
+            bool useRestrictiveXamlReader,
+            List<Type> safeTypes)
         {
             if (parseMode == XamlParseMode.Uninitialized ||
                 parseMode == XamlParseMode.Asynchronous)
@@ -893,7 +917,7 @@ public static XamlSchemaContext GetWpfSchemaContext()
 
                 XamlSchemaContext schemaContext = parserContext.XamlTypeMapper != null ?
                     parserContext.XamlTypeMapper.SchemaContext : GetWpfSchemaContext();
-                System.Xaml.XamlXmlReader xamlXmlReader = (useRestrictiveXamlReader) ? new RestrictiveXamlXmlReader(reader, schemaContext, settings):
+                System.Xaml.XamlXmlReader xamlXmlReader = (useRestrictiveXamlReader) ? new RestrictiveXamlXmlReader(reader, schemaContext, settings, safeTypes) :
                                                                                        new System.Xaml.XamlXmlReader(reader, schemaContext, settings);
                 root = Load(xamlXmlReader, parserContext);
                 reader.Close();