大多數程式碼存取安全性 API 已淘汰
.NET 中的大多數程式碼存取安全性 (CAS) 相關類型現已淘汰為警告。 這包括 SecurityPermissionAttribute 在內的 CAS 屬性、包括 SocketPermission、EvidenceBase 在內的 CAS 權限物件、衍生類型,以及其他支援的 API。
變更描述
在 .NET Framework 2.x - 4.x 中,CAS 屬性和 API 可能會影響程式碼執行過程,包括確保 CAS 需求堆疊查核行程成功或失敗。
// In .NET Framework, the attribute causes CAS stack walks
// to terminate successfully when this permission is demanded.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
// open a socket to contoso.com:443
}
在 .NET Core 2.x - 3.x 中,執行階段不接受 CAS 屬性或 CAS API。 執行階段會忽略方法項目上的屬性,而且大多數的程式設計 API 都沒有效果。
// The .NET Core runtime ignores the following attribute.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
// open a socket to contoso.com:443
}
此外,對擴充 API (Assert) 進行的程式設計呼叫一律會成功,但對限制性 API (Deny、PermitOnly) 進行的程式設計呼叫一律會在執行階段擲回例外狀況。 (PrincipalPermission 是此規則的例外狀況。請參閱下方 建議的動作 一節。)
public void DoAssert()
{
// The line below has no effect at run time.
new SocketPermission(PermissionState.Unrestricted).Assert();
}
public void DoDeny()
{
// The line below throws PlatformNotSupportedException at run time.
new SocketPermission(PermissionState.Unrestricted).Deny();
}
在 .NET 5 和更新版本中,大多數與 CAS 相關的 API 已淘汰,而且會產生編譯時期警告 SYSLIB0003。
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")] // warning SYSLIB0003
public void DoSomething()
{
new SocketPermission(PermissionState.Unrestricted).Assert(); // warning SYSLIB0003
new SocketPermission(PermissionState.Unrestricted).Deny(); // warning SYSLIB0003
}
此變更僅限編譯時期。 舊版 .NET Core 沒有執行階段變更。 .NET Core 2.x - 3.x 中不會執行任何作業的方法,在 .NET 5 和更新版本中一樣不會在執行階段執行任何作業。 在 .NET Core 2.x - 3.x 中擲回 PlatformNotSupportedException 的方法,在 .NET 5 和更新版本中一樣會繼續在執行階段擲回 PlatformNotSupportedException。
變更原因
程式碼存取安全性 (CAS) 是不受支援的舊版技術。 啟用 CAS 的基礎結構僅存在於 .NET Framework 2.x - 4.x 中,但已淘汰而且不會接收服務或安全性修正程式。
由於 CAS 已被取代, 支援基礎結構並未轉送至 .NET Core 或 .NET 5+。 不過,因為我們有向前提出 API,所以應用程式可以對 .NET Framwork 和 .NET Core 進行交叉編譯。 這會導致發生「失敗開啟」的案例,其中雖然存在一些可呼叫的 CAS 相關 API,但在執行階段不會執行任何動作。 對於預期執行階段接受 CAS 相關屬性或程式設計 API 呼叫的元件而言,這可能會導致安全性問題。 為了更好地傳達執行階段不會使用這些屬性或 API,我們在 .NET 5.0 中已將大多數項目淘汰。
導入的版本
5.0
建議的動作
如果您要判斷提示任何安全性權限,請移除判斷提示權限的屬性或呼叫。
// REMOVE the attribute below. [SecurityPermission(SecurityAction.Assert, ControlThread = true)] public void DoSomething() { } public void DoAssert() { // REMOVE the line below. new SecurityPermission(SecurityPermissionFlag.ControlThread).Assert(); }如果您要拒絕或限制任何權限 (透過
PermitOnly),請連絡安全顧問。 由於 .NET 5+ 執行階段不接受 CAS 屬性,因此,如果應用程式不正確地依賴 CAS 基礎結構以限制對這些方法的存取,可能會出現安全性漏洞。// REVIEW the attribute below; could indicate security vulnerability. [SecurityPermission(SecurityAction.Deny, ControlThread = true)] public void DoSomething() { } public void DoPermitOnly() { // REVIEW the line below; could indicate security vulnerability. new SecurityPermission(SecurityPermissionFlag.ControlThread).PermitOnly(); }如果您需要任何權限 (PrincipalPermission 除外),請移除需求。 所有需求在執行階段都會成功。
// REMOVE the attribute below; it will always succeed. [SecurityPermission(SecurityAction.Demand, ControlThread = true)] public void DoSomething() { } public void DoDemand() { // REMOVE the line below; it will always succeed. new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand(); }如果您需要 PrincipalPermission,請參閱 PrincipalPermissionAttribute 已淘汰為錯誤的指引。 PrincipalPermission 和 PrincipalPermissionAttribute 均適用該指引。
如果您確實必須停用這些警告 (不建議),可以在程式碼中隱藏
SYSLIB0003警告。#pragma warning disable SYSLIB0003 // disable the warning [SecurityPermission(SecurityAction.Demand, ControlThread = true)] #pragma warning restore SYSLIB0003 // re-enable the warning public void DoSomething() { } public void DoDemand() { #pragma warning disable SYSLIB0003 // disable the warning new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand(); #pragma warning restore SYSLIB0003 // re-enable the warning }您也可以在專案檔中隱藏警告。 這麼做會停用專案中所有來源檔案的警告。
<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <TargetFramework>net5.0</TargetFramework> <!-- NoWarn below suppresses SYSLIB0003 project-wide --> <NoWarn>$(NoWarn);SYSLIB0003</NoWarn> </PropertyGroup> </Project>注意
隱藏
SYSLIB0003只會停用 CAS 相關的淘汰警告。 這不會停用任何其他警告,也不會變更 .NET 5+ 執行階段的行為。安全性
受影響的 API
- System.AppDomain.PermissionSet
- System.Configuration.ConfigurationPermission
- System.Configuration.ConfigurationPermissionAttribute
- System.Data.Common.DBDataPermission
- System.Data.Common.DBDataPermissionAttribute
- System.Data.Odbc.OdbcPermission
- System.Data.Odbc.OdbcPermissionAttribute
- System.Data.OleDb.OleDbPermission
- System.Data.OleDb.OleDbPermissionAttribute
- System.Data.OracleClient.OraclePermission
- System.Data.OracleClient.OraclePermissionAttribute
- System.Data.SqlClient.SqlClientPermission
- System.Data.SqlClient.SqlClientPermissionAttribute
- System.Diagnostics.EventLogPermission
- System.Diagnostics.EventLogPermissionAttribute
- System.Diagnostics.PerformanceCounterPermission
- System.Diagnostics.PerformanceCounterPermissionAttribute
- System.DirectoryServices.DirectoryServicesPermission
- System.DirectoryServices.DirectoryServicesPermissionAttribute
- System.Drawing.Printing.PrintingPermission
- System.Drawing.Printing.PrintingPermissionAttribute
- System.Net.DnsPermission
- System.Net.DnsPermissionAttribute
- System.Net.Mail.SmtpPermission
- System.Net.Mail.SmtpPermissionAttribute
- System.Net.NetworkInformation.NetworkInformationPermission
- System.Net.NetworkInformation.NetworkInformationPermissionAttribute
- System.Net.PeerToPeer.Collaboration.PeerCollaborationPermission
- System.Net.PeerToPeer.Collaboration.PeerCollaborationPermissionAttribute
- System.Net.PeerToPeer.PnrpPermission
- System.Net.PeerToPeer.PnrpPermissionAttribute
- System.Net.SocketPermission
- System.Net.SocketPermissionAttribute
- System.Net.WebPermission
- System.Net.WebPermissionAttribute
- System.Runtime.InteropServices.AllowReversePInvokeCallsAttribute
- System.Security.CodeAccessPermission
- System.Security.HostProtectionException
- System.Security.IPermission
- System.Security.IStackWalk
- System.Security.NamedPermissionSet
- System.Security.PermissionSet
- System.Security.Permissions.CodeAccessSecurityAttribute
- System.Security.Permissions.DataProtectionPermission
- System.Security.Permissions.DataProtectionPermissionAttribute
- System.Security.Permissions.DataProtectionPermissionFlags
- System.Security.Permissions.EnvironmentPermission
- System.Security.Permissions.EnvironmentPermissionAccess
- System.Security.Permissions.EnvironmentPermissionAttribute
- System.Security.Permissions.FileDialogPermission
- System.Security.Permissions.FileDialogPermissionAccess
- System.Security.Permissions.FileDialogPermissionAttribute
- System.Security.Permissions.FileIOPermission
- System.Security.Permissions.FileIOPermissionAccess
- System.Security.Permissions.FileIOPermissionAttribute
- System.Security.Permissions.GacIdentityPermission
- System.Security.Permissions.GacIdentityPermissionAttribute
- System.Security.Permissions.HostProtectionAttribute
- System.Security.Permissions.HostProtectionResource
- System.Security.Permissions.IUnrestrictedPermission
- System.Security.Permissions.IsolatedStorageContainment
- System.Security.Permissions.IsolatedStorageFilePermission
- System.Security.Permissions.IsolatedStorageFilePermissionAttribute
- System.Security.Permissions.IsolatedStoragePermission
- System.Security.Permissions.IsolatedStoragePermissionAttribute
- System.Security.Permissions.KeyContainerPermission
- System.Security.Permissions.KeyContainerPermissionAccessEntry
- System.Security.Permissions.KeyContainerPermissionAccessEntryCollection
- System.Security.Permissions.KeyContainerPermissionAccessEntryEnumerator
- System.Security.Permissions.KeyContainerPermissionAttribute
- System.Security.Permissions.KeyContainerPermissionFlags
- System.Security.Permissions.MediaPermission
- System.Security.Permissions.MediaPermissionAttribute
- System.Security.Permissions.MediaPermissionAudio
- System.Security.Permissions.MediaPermissionImage
- System.Security.Permissions.MediaPermissionVideo
- System.Security.Permissions.PermissionSetAttribute
- System.Security.Permissions.PermissionState
- System.Security.Permissions.PrincipalPermission
- System.Security.Permissions.PrincipalPermissionAttribute
- System.Security.Permissions.PublisherIdentityPermission
- System.Security.Permissions.PublisherIdentityPermissionAttribute
- System.Security.Permissions.ReflectionPermission
- System.Security.Permissions.ReflectionPermissionAttribute
- System.Security.Permissions.ReflectionPermissionFlag
- System.Security.Permissions.RegistryPermission
- System.Security.Permissions.RegistryPermissionAccess
- System.Security.Permissions.RegistryPermissionAttribute
- System.Security.Permissions.ResourcePermissionBase
- System.Security.Permissions.ResourcePermissionBaseEntry
- System.Security.Permissions.SecurityAction
- System.Security.Permissions.SecurityAttribute
- System.Security.Permissions.SecurityPermission
- System.Security.Permissions.SecurityPermissionAttribute
- System.Security.Permissions.SecurityPermissionFlag
- System.Security.Permissions.SiteIdentityPermission
- System.Security.Permissions.SiteIdentityPermissionAttribute
- System.Security.Permissions.StorePermission
- System.Security.Permissions.StorePermissionAttribute
- System.Security.Permissions.StorePermissionFlags
- System.Security.Permissions.StrongNameIdentityPermission
- System.Security.Permissions.StrongNameIdentityPermissionAttribute
- System.Security.Permissions.StrongNamePublicKeyBlob
- System.Security.Permissions.TypeDescriptorPermission
- System.Security.Permissions.TypeDescriptorPermissionAttribute
- System.Security.Permissions.TypeDescriptorPermissionFlags
- System.Security.Permissions.UIPermission
- System.Security.Permissions.UIPermissionAttribute
- System.Security.Permissions.UIPermissionClipboard
- System.Security.Permissions.UIPermissionWindow
- System.Security.Permissions.UrlIdentityPermission
- System.Security.Permissions.UrlIdentityPermissionAttribute
- System.Security.Permissions.WebBrowserPermission
- System.Security.Permissions.WebBrowserPermissionAttribute
- System.Security.Permissions.WebBrowserPermissionLevel
- System.Security.Permissions.ZoneIdentityPermission
- System.Security.Permissions.ZoneIdentityPermissionAttribute
- System.Security.Policy.ApplicationTrust.ApplicationTrust(PermissionSet, IEnumerable<StrongName>)
- System.Security.Policy.ApplicationTrust.FullTrustAssemblies
- System.Security.Policy.FileCodeGroup
- System.Security.Policy.GacInstalled
- System.Security.Policy.IIdentityPermissionFactory
- System.Security.Policy.PolicyLevel.AddNamedPermissionSet(NamedPermissionSet)
- System.Security.Policy.PolicyLevel.ChangeNamedPermissionSet(String, PermissionSet)
- System.Security.Policy.PolicyLevel.GetNamedPermissionSet(String)
- System.Security.Policy.PolicyLevel.RemoveNamedPermissionSet
- System.Security.Policy.PolicyStatement.PermissionSet
- System.Security.Policy.PolicyStatement.PolicyStatement
- System.Security.Policy.Publisher
- System.Security.Policy.Site
- System.Security.Policy.StrongName
- System.Security.Policy.StrongNameMembershipCondition
- System.Security.Policy.Url
- System.Security.Policy.Zone
- System.Security.SecurityManager
- System.ServiceProcess.ServiceControllerPermission
- System.ServiceProcess.ServiceControllerPermissionAttribute
- System.Transactions.DistributedTransactionPermission
- System.Transactions.DistributedTransactionPermissionAttribute
- System.Web.AspNetHostingPermission
- System.Web.AspNetHostingPermissionAttribute
- System.Xaml.Permissions.XamlLoadPermission
意見反應
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:https://aka.ms/ContentUserFeedback。
提交並檢視相關的意見反應