Is Microsoft Planning to fix ImageList? #11185
Comments
|
@SoftCircuits are you currently having a problem with |
|
@elachlan Sure. Visual Studio: 17.12.2
|
See Documentation: https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-migration-guide/winforms-applications |
|
@elachlan I'm still trying to figure out why I need BinaryFormatter. Or, more accurately, why ImageList needs it. |
|
Images get serialized into the resource files (resx). Winforms handles this internally but you require to enable The warning you are getting can be disabled. It says it "MAY" be deserialized by BinaryFormatter, but its a broad catch all message. If it is unable to use the internal winforms deserializer, then it will attempt to use |
|
@elachlan I know I can suppress the warning. But why is Microsft not redesigning ImageList such that I don't need to suppress warnings? If there's a problem with it, why doesn't Microsoft just fix it? Why is requiring us to hide warnings okay? I don't understand this. |
|
I'll leave that to the Winforms team to answer. |
|
@SoftCircuits - thank you for reporting this issue. MSB3825 does not apply to the image list control in .NET 9 because we had redesigned how we serialize and read image list at the runtime - https://github.com/dotnet/winforms/blob/01cfa36f4c9b6a3f4997129b7b72e2a2c874dd38/src/System.Windows.Forms/src/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormatWriter.cs#L39-L50. |
|
@rainersigwald - is it possible to disable MSB3825 when target framework is NET9+? Or at least change the wording? As is it looks like the app should use BinaryFormatter, while only a small percentage needs the opt-in for the Resource Manager to use BInaryFormatter - https://source.dot.net/#System.Resources.Extensions/System/Resources/Extensions/DeserializingResourceReader.cs,36749eec8744c444,references |
|
@rainersigwald @Forgind - here are the BF removal workgroup recommendations:
Resource "imageList1.ImageStream" of type "System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" may be deserialized via BinaryFormatter at runtime. BinaryFormatter is deprecated due to known security risks and is removed from .NET 9+. If you wish to continue using it, set property "GenerateResourceWarnOnBinaryFormatterUse" to false. |
|
@Tanya-Solyanik Just to clarify - when targeting lower than NET8 (or full FW) - then we do NOT want to warn - correct? Not to self - this would be the place to tune the warning for NETx versions: https://github.com/dotnet/sdk/blob/cc260aa9a3fd51e20d66f0186a3da9fcf864b208/src/Tasks/Microsoft.NET.Build.Tasks/targets/Microsoft.NET.Sdk.targets#L106-L108 |
Good point! Is this warning conditional on the target FX right now? I believe so per this bug description - #8453, There is a property When I moved this bug to msbuild I assumed that this is only about net8+, but now that you posed this question, the warning is applicable to all versions in a sense that BF is bad. I'm not sure why it was implemented conditionally in the first place, probably we didn't want it to be too noisy? |
|
Yes - I believe it was to limit the update blockers - where just updating the toolchain would suddenly cause builds to fail. In such case we probably do not want to case disruptions to builds targeting NetFx (which we currently do not). I'll then make sure to adjust wording for NET8 and remove the warning for NET9+ Thank you! |
There is a lot of documentation about issue dotnet/winforms#9701 and the security risks associated with
BinaryFormatter.But what if we're not using
BinaryFormatterdirectly? Instead, we're usingImageList, which is currently implemented to useBinaryFormatter? Do we need to find a different image list control? Or is Microsoft planning to fix the existing one?The text was updated successfully, but these errors were encountered: