SerializationBinder Class

Reference

Definition

Namespace:: System.Runtime.Serialization

Assembly:: System.Runtime.Serialization.Formatters.dll

Assembly:: mscorlib.dll

Assembly:: netstandard.dll

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Allows users to control class loading and mandate what class to load.

public ref class SerializationBinder abstract

public abstract class SerializationBinder

[System.Serializable]
public abstract class SerializationBinder

[System.Serializable]
[System.Runtime.InteropServices.ComVisible(true)]
public abstract class SerializationBinder

type SerializationBinder = class

[<System.Serializable>]
type SerializationBinder = class

[<System.Serializable>]
[<System.Runtime.InteropServices.ComVisible(true)>]
type SerializationBinder = class

Public MustInherit Class SerializationBinder

Inheritance: Object
SerializationBinder

Attributes: SerializableAttribute ComVisibleAttribute

Remarks

Insecure serializers

Warning

BinaryFormatter is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.

During serialization, a formatter transmits the information required to create an instance of an object of the correct type and version. This information generally includes the full type name and assembly name of the object. The assembly name includes the name, version, and strong name (see Strong-Named Assemblies) hash of the assembly. By default, deserialization uses this information to create an instance of an identical object (with the exception of any assembly loading restricted by the security policy). Some users need to control which class to load, either because the class has moved between assemblies or a different version of the class is required on the server and client.

SerializationBinder can not be used for security. There might be some security exploits when you are trying to deserialize some data from an untrusted source. The binder gives you an opportunity to inspect what types are being loaded in your application domain, but this doesn't guarantee an exploit is not possible. For more information see the BinaryFormatter security guide. You can then either maintain list of denied types or a list of allowed types and restrict which types are being loaded and instantiated. In addition, be mindful of what information is being put out on the wire. You may want to use transport or message security when sending type names or other data on the network.

Warning

Only use SerializationBinder if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.

This is an abstract base class. All binders extend this class.

Notes to Implementers

When you inherit from SerializationBinder, you must override the following member: BindToType(String, String).

Constructors

SerializationBinder()

Initializes a new instance of the SerializationBinder class.

Methods

BindToName(Type, String, String)	When overridden in a derived class, controls the binding of a serialized object to a type.
BindToType(String, String)	When overridden in a derived class, controls the binding of a serialized object to a type.
Equals(Object)	Determines whether the specified object is equal to the current object. (Inherited from Object)
GetHashCode()	Serves as the default hash function. (Inherited from Object)
GetType()	Gets the Type of the current instance. (Inherited from Object)
MemberwiseClone()	Creates a shallow copy of the current Object. (Inherited from Object)
ToString()	Returns a string that represents the current object. (Inherited from Object)

Applies to