- 15 1月, 2020 5 次提交
-
-
由 Rob LaDuca 提交于
Fixing Microsoft Security Advisory CVE-2020-0606 : .NET Core Remote Code Execution Vulnerability (3.0 Merge Fix) Loose xaml can contain executable payload e.g. `ObjectDataProvider`. This Xaml can be included as part of `XpsDocument`s or base-64 encoded and then included in `StickyNote`s' annotation xml files. In WPF, we were allowing `XpsDocument`s and `StickyNote`s' annotation xml files to be loaded freely via `XamlReader.Load`. This exposes an attack vector - when a user downloads an XPS file from the internet for *viewing*, they could end up executing untrusted code. The fix is to identify known dangerous types and limit them from being deserialized during XAML loading. In order to accomplish this, we add new _non-public_ overloads to the `XamlReader.Load` method to enable the use of `RestrictiveXamlXmlReader`. `RestrictiveXamlXmlReader` restricts known dangerous types from being loaded while deserializing xaml. We then call `XamlReader.Load` via `XamlReaderProxy`, which is an adapter for `XamlReader` type and uses reflection to access `XamlReader.Load`. Reflection is used to avoid adding additional public surface area to `XamlReader` in servicing. Small changes are made to `TextRange` as well since the call-site for the `StickyNote`s case was through a call to `TextRange` which in turn calls into `XamlReader.Load`.
-
由 Robert LaDuca 提交于
-
由 Robert LaDuca 提交于
This reverts commit 20e3a966, reversing changes made to 6f48cffd.
-
由 Arpit Dev Mathur 提交于
Description Loose xaml can contain executable payload e.g. ObjectDataProvider. This Xaml can be included as part of XpsDocuments or base-64 encoded and then included in StickyNotes' annotation xml files. In WPF, we were allowing XpsDocuments and StickyNotes' annotation xml files to be loaded freely via XamlReader.Load. This exposes an attack vector - when a user downloads an XPS file from the internet for viewing, they could end up executing untrusted code. The fix is to identify known dangerous types and limit them from being deserialized during XAML loading. In order to accomplish this, we add new non-public overloads to the XamlReader.Load method to enable the use of RestrictiveXamlXmlReader. RestrictiveXamlXmlReader restricts known dangerous types from being loaded while deserializing xaml. We then call XamlReader.Load via XamlReaderProxy, which is an adapter for XamlReader type and uses reflection to access XamlReader.Load. Reflection is used to avoid adding additional public surface area to XamlReader in servicing. Small changes are made to TextRange as well since the call-site for the StickyNotes case was through a call to TextRange which in turn calls into XamlReader.Load. Customer Impact Customers would be protected from opening potentially-compromised XPS documents and stickynotes annotation xml files. Regression No. This security issue was reported by an external party. Risk - Low o This change only affects loading XPS documents and loading stickynotes annotation data. o The change has been tested well internally. o We ran regression tests to ensure nothing else is inadvertently broken. o Validated against POC to ensure that the fix works as intended. In .NET Framework, we are introducing a quirk to give developers/cusotmers the option of going back to the old (i.e., unsecure) behavior where deserializing dangerous types like ObjectDataProvider will be allowed. In .NET Core, no quirks are being provided - we do not believe that this is a scenario that should be supported for compatibility in a relatively new platform.
-
由 dotnet-bot 提交于
-
- 02 12月, 2019 2 次提交
-
-
由 dotnet-bot 提交于
-
https://github.com/dotnet/winforms由 dotnet-maestro[bot] 提交于
- Microsoft.Private.Winforms - 4.8.0-servicing.19577.10
-
- 28 11月, 2019 6 次提交
-
-
由 dotnet-bot 提交于
-
https://github.com/dotnet/arcade由 dotnet-maestro[bot] 提交于
- Microsoft.DotNet.ApiCompat - 1.0.0-beta.19577.5 - Microsoft.DotNet.Arcade.Sdk - 1.0.0-beta.19577.5 - Microsoft.DotNet.CodeAnalysis - 1.0.0-beta.19577.5 - Microsoft.DotNet.GenAPI - 1.0.0-beta.19577.5 - Microsoft.DotNet.Helix.Sdk - 2.0.0-beta.19577.5
-
由 dotnet-bot 提交于
-
由 Matt Mitchell 提交于
-
由 dotnet-bot 提交于
-
https://github.com/dotnet/winforms由 dotnet-maestro[bot] 提交于
- Microsoft.Private.Winforms - 4.8.0-servicing.19577.5
-
- 23 11月, 2019 2 次提交
-
-
https://github.com/dotnet/arcade由 dotnet-maestro[bot] 提交于
- Microsoft.DotNet.ApiCompat - 1.0.0-beta.19572.3 - Microsoft.DotNet.Arcade.Sdk - 1.0.0-beta.19572.3 - Microsoft.DotNet.CodeAnalysis - 1.0.0-beta.19572.3 - Microsoft.DotNet.GenAPI - 1.0.0-beta.19572.3 - Microsoft.DotNet.Helix.Sdk - 2.0.0-beta.19572.3
-
由 dotnet-maestro[bot] 提交于
* Update dependencies from https://github.com/dotnet/arcade build 20190924.3 - Microsoft.DotNet.ApiCompat - 1.0.0-beta.19474.3 - Microsoft.DotNet.Arcade.Sdk - 1.0.0-beta.19474.3 - Microsoft.DotNet.CodeAnalysis - 1.0.0-beta.19474.3 - Microsoft.DotNet.GenAPI - 1.0.0-beta.19474.3 - Microsoft.DotNet.Helix.Sdk - 2.0.0-beta.19474.3 * Update Nuget.config * Remove Versions.props restore sources * Attempt to remove dotnet-core, add dotnet3 and dotnet3-transport * Fix feed urls * Update NuGet.config * Update dependencies * Update test package version * Update dependencies from https://github.com/dotnet/arcade build 20191119.2 - Microsoft.DotNet.ApiCompat - 1.0.0-beta.19569.2 - Microsoft.DotNet.Arcade.Sdk - 1.0.0-beta.19569.2 - Microsoft.DotNet.CodeAnalysis - 1.0.0-beta.19569.2 - Microsoft.DotNet.GenAPI - 1.0.0-beta.19569.2 - Microsoft.DotNet.Helix.Sdk - 2.0.0-beta.19569.2 * Add reference to System.Resources.Extensions * Add System.Resources.Extensions references to PresentationUI * Revert "Add reference to System.Resources.Extensions" This reverts commit 6506e43b372531c6513f1f5a63d1ae08985ab7ff. * Update dependencies * Include "ResolveTargetingPackAssets" in AfterTargets; Remove unused Targets (#2230) * Workaround for https://github.com/dotnet/core-sdk/issues/4744 .NET Core 3.1 SDK hasn't consumed the fix for https://github.com/NuGet/Home/issues/8467 yet. Suppress these warnings temporarily * Fixing NoWarn to include SDK defines.
-
- 22 11月, 2019 3 次提交
-
-
由 dotnet-maestro[bot] 提交于
Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-wpf-int build 20191121.4 (#2227) - Microsoft.DotNet.Wpf.DncEng - 4.8.0-servicing.19571.4
-
由 Arpit Mathur 提交于
Merged PR 4375: [.Net Core 3.0] MSRC 54179, 54120: Reflecting into internal overloads of XamlReader.Load to use RestrictiveXamlXmlReader Bugs: - Bug [1006082](https://devdiv.visualstudio.com/DevDiv/_workitems/edit/1006082): MSRC 54120: XAMLReader.Load used by `GetFixedDocumentSequence` method which could lead to code execution [.Net Core 3.0] - Bug [1006085](https://devdiv.visualstudio.com/DevDiv/_workitems/edit/1006085): MSRC 54179: Code Execution using Malicious Annotation Files for Sticky Notes in WPF apps [.Net Core 3.0] ###Description Loose xaml can contain executable payload e.g. `ObjectDataProvider`. This Xaml can be included as part of `XpsDocument`s or base-64 encoded and then included in `StickyNote`s' annotation xml files. In WPF, we were allowing `XpsDocument`s and `StickyNote`s' annotation xml files to be loaded freely via `XamlReader.Load`. This exposes an attack vector - when a user downloads an XPS file from the internet for *viewing*, they could end up executing untrusted code. The fix is to identify known dangerous types and limit them from being deserialized during XAML loading. In order to accomplish this, we add new _non-public_ overloads to the `XamlReader.Load` method to enable the use of `RestrictiveXamlXmlReader`. `RestrictiveXamlXmlReader` restricts known dangerous types from being loaded while deserializing xaml. We then call `XamlReader.Load` via `XamlReaderProxy`, which is an adapter for `XamlReader` type and uses reflection to access `XamlReader.Load`. Reflection is used to avoid adding additional public surface area to `XamlReader` in servicing. Small changes are made to `TextRange` as well since the call-site for the `StickyNote`s case was through a call to `TextRange` which in turn calls into `XamlReader.Load`. ### Customer Impact Customers would be protected from opening potentially-compromised XPS documents and stickynotes annotation xml files. ### Regression No. This security issue was reported by an external party. ### Risk - Low - This change only affects loading XPS documents and loading stickynotes annotation data. - The change has been tested well internally. - We ran regression tests to ensure nothing else is inadvertently broken. - Validated against POC to ensure that the fix works as intended. In .NET Framework, we are introducing a quirk to give developers/cusotmers the option of going back to the old (i.e., unsecure) behavior where deserializing dangerous types like `ObjectDataProvider` will be allowed. In .NET Core, no quirks are being provided - we do not believe that this is a scenario that should be supported for compatibility in a relatively new platform.
-
由 dotnet-maestro[bot] 提交于
Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-wpf-int build 20191120.4 (#2226) - Microsoft.DotNet.Wpf.DncEng - 4.8.0-servicing.19570.4
-
- 20 11月, 2019 1 次提交
-
-
由 Vatsan Madhavan 提交于
-
- 19 11月, 2019 1 次提交
-
-
由 Vatsan Madhavan 提交于
-
- 11 10月, 2019 1 次提交
-
-
由 Rob LaDuca 提交于
Fix missing type forwards in reference assemblies (3.0 port)
-
- 04 10月, 2019 1 次提交
-
-
由 Rob LaDuca 提交于
-
- 01 10月, 2019 1 次提交
-
-
https://github.com/dotnet/winforms由 dotnet-maestro[bot] 提交于
- Microsoft.Private.Winforms - 4.8.0-servicing.19480.1
-
- 26 9月, 2019 2 次提交
-
-
由 Vatsan Madhavan 提交于
Mark ProjectTemplates and Microsoft.NET.Sdk.WindowsDesktop as NonShipping
-
由 Vatsan Madhavan 提交于
-
- 25 9月, 2019 2 次提交
-
-
由 Vatsan Madhavan 提交于
Update branding for 3.0.1 servicing and turn off stable builds
-
由 Vatsan Madhavan 提交于
-
- 13 9月, 2019 1 次提交
-
-
https://github.com/dotnet/winforms由 dotnet-maestro[bot] 提交于
- Microsoft.Private.Winforms - 4.8.0-rc2.19462.10
-
- 12 9月, 2019 9 次提交
-
-
由 Matt Mitchell 提交于
Stabilize wpf for 3.0 GA
-
由 Matt Mitchell 提交于
-
https://github.com/dotnet/winforms由 dotnet-maestro[bot] 提交于
- Microsoft.Private.Winforms - 4.8.0-rc2.19462.7 Dependency coherency updates - Microsoft.Win32.Registry - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.App - 3.0.0-rc2-19460-02 (parent: Microsoft.Private.Winforms) - System.CodeDom - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Configuration.ConfigurationManager - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Diagnostics.EventLog - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.DirectoryServices - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Drawing.Common - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Reflection.Emit - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Reflection.MetadataLoadContext - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Security.AccessControl - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Security.Cryptography.Xml - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Security.Permissions - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Security.Principal.Windows - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.Windows.Extensions - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.Platforms - 3.0.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - System.IO.Packaging - 4.6.0-rc2.19460.1 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.ILDAsm - 3.0.0-rc2.19459.3 (parent: Microsoft.NETCore.Runtime.CoreCLR) - Microsoft.NETCore.Runtime.CoreCLR - 3.0.0-rc2.19459.3 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.ILAsm - 3.0.0-rc2.19459.3 (parent: Microsoft.NETCore.Runtime.CoreCLR)
-
由 Matt Mitchell 提交于
-
由 mmitche 提交于
-
由 dotnet-maestro[bot] 提交于
Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-wpf-int build 20190911.43 (#1865) - Microsoft.DotNet.Wpf.DncEng - 4.8.0-rc2.19461.43
-
由 Matt Mitchell 提交于
[release/3.0] Update dependencies from dotnet/arcade
-
https://github.com/dotnet/arcade由 dotnet-maestro[bot] 提交于
- Microsoft.DotNet.ApiCompat - 1.0.0-beta.19461.7 - Microsoft.DotNet.Arcade.Sdk - 1.0.0-beta.19461.7 - Microsoft.DotNet.CodeAnalysis - 1.0.0-beta.19461.7 - Microsoft.DotNet.GenAPI - 1.0.0-beta.19461.7 - Microsoft.DotNet.Helix.Sdk - 2.0.0-beta.19461.7
-
https://github.com/dotnet/winforms由 dotnet-maestro[bot] 提交于
- Microsoft.Private.Winforms - 4.8.0-preview9.19412.4 Dependency coherency updates - Microsoft.Win32.Registry - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.App - 3.0.0-preview9-19411-11 (parent: Microsoft.Private.Winforms) - System.CodeDom - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Configuration.ConfigurationManager - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Diagnostics.EventLog - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.DirectoryServices - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Drawing.Common - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Reflection.Emit - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Reflection.MetadataLoadContext - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Security.AccessControl - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Security.Cryptography.Xml - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Security.Permissions - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Security.Principal.Windows - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.Windows.Extensions - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.Platforms - 3.0.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - System.IO.Packaging - 4.6.0-preview9.19409.17 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.ILDAsm - 3.0.0-preview9.19409.2 (parent: Microsoft.NETCore.Runtime.CoreCLR) - Microsoft.NETCore.Runtime.CoreCLR - 3.0.0-preview9.19409.2 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.ILAsm - 3.0.0-preview9.19409.2 (parent: Microsoft.NETCore.Runtime.CoreCLR)
-
- 11 9月, 2019 3 次提交
-
-
由 dotnet-maestro[bot] 提交于
Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-wpf-int build 20190910.13 (#1840) - Microsoft.DotNet.Wpf.DncEng - 4.8.0-rc2.19460.13
-
由 dotnet-maestro[bot] 提交于
* Update dependencies from https://github.com/dotnet/winforms build 20190904.3 - Microsoft.Private.Winforms - 4.8.0-rc1.19454.3 * Update dependencies from https://github.com/dotnet/winforms build 20190905.15 - Microsoft.Private.Winforms - 4.8.0-rc2.19455.15 * Update dependencies from https://github.com/dotnet/winforms build 20190906.4 - Microsoft.Private.Winforms - 4.8.0-rc2.19456.4 * Update dependencies from https://github.com/dotnet/winforms build 20190907.4 - Microsoft.Private.Winforms - 4.8.0-rc2.19457.4 * Update dependencies from https://github.com/dotnet/winforms build 20190908.3 - Microsoft.Private.Winforms - 4.8.0-rc2.19458.3 * Update dependencies from https://github.com/dotnet/winforms build 20190909.5 - Microsoft.Private.Winforms - 4.8.0-rc2.19459.5 * Update dependencies from https://github.com/dotnet/winforms build 20190909.7 - Microsoft.Private.Winforms - 4.8.0-rc2.19459.7 * Update dependencies from https://github.com/dotnet/winforms build 20190909.12 - Microsoft.Private.Winforms - 4.8.0-rc2.19459.12 * Update dependencies from https://github.com/dotnet/winforms build 20190909.13 - Microsoft.Private.Winforms - 4.8.0-rc2.19459.13 * Update dependencies from https://github.com/dotnet/winforms build 20190910.2 - Microsoft.Private.Winforms - 4.8.0-rc2.19460.2 * Update dependencies from https://github.com/dotnet/winforms build 20190910.6 - Microsoft.Private.Winforms - 4.8.0-rc2.19460.6 * Update dependencies from https://github.com/dotnet/winforms build 20190910.4 - Microsoft.Private.Winforms - 4.8.0-rc2.19460.4 * Update dependencies from https://github.com/dotnet/winforms build 20190910.9 - Microsoft.Private.Winforms - 4.8.0-rc2.19460.9 * Update dependencies from https://github.com/dotnet/winforms build 20190910.10 - Microsoft.Private.Winforms - 4.8.0-rc2.19460.10 * Update dependencies from https://github.com/dotnet/winforms build 20190910.11 - Microsoft.Private.Winforms - 4.8.0-rc2.19460.11 * Dependency coherency updates - Microsoft.Win32.Registry - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.App - 3.0.0-rc2-19459-40 (parent: Microsoft.Private.Winforms) - System.CodeDom - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Configuration.ConfigurationManager - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Diagnostics.EventLog - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.DirectoryServices - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Drawing.Common - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Reflection.Emit - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Reflection.MetadataLoadContext - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Security.AccessControl - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Security.Cryptography.Xml - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Security.Permissions - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Security.Principal.Windows - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.Windows.Extensions - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.Platforms - 3.0.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - System.IO.Packaging - 4.6.0-rc2.19459.12 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.ILDAsm - 3.0.0-rc2.19459.3 (parent: Microsoft.NETCore.Runtime.CoreCLR) - Microsoft.NETCore.Runtime.CoreCLR - 3.0.0-rc2.19459.3 (parent: Microsoft.NETCore.App) - Microsoft.NETCore.ILAsm - 3.0.0-rc2.19459.3 (parent: Microsoft.NETCore.Runtime.CoreCLR)
-
由 Matt Mitchell 提交于
[release/3.0] Update dependencies from dotnet/arcade
-