大部分的程式碼存取安全性 API 已經過時
.NET 中大部分的程式碼存取安全性 (CAS) 相關類型現在已過時為警告。 這包括 CAS 屬性,例如 SecurityPermissionAttribute 、CAS 權限物件,例如 SocketPermission 、 EvidenceBase 衍生型別和其他支援的 API。
變更描述
在 .NET Framework 2.x - 4.x 中,CAS 屬性和 API 可能會影響程式碼執行過程,包括確保 CAS 需求堆疊逐步執行成功或失敗。
// In .NET Framework, the attribute causes CAS stack walks
// to terminate successfully when this permission is demanded.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
// open a socket to contoso.com:443
}
在 .NET Core 2.x - 3.x 中,執行時間不接受 CAS 屬性或 CAS API。 執行時間會忽略方法專案上的屬性,而且大部分的程式設計 API 都沒有任何作用。
// The .NET Core runtime ignores the following attribute.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
// open a socket to contoso.com:443
}
此外,擴充 API 的程式設計呼叫一 Assert 律會成功,而以程式設計方式通話限制性 API ( Deny , PermitOnly ) 一律會在執行時間擲回例外狀況。 ( PrincipalPermission 是這項規則的例外。 請參閱下方的建議動作 一節。
public void DoAssert()
{
// The line below has no effect at run time.
new SocketPermission(PermissionState.Unrestricted).Assert();
}
public void DoDeny()
{
// The line below throws PlatformNotSupportedException at run time.
new SocketPermission(PermissionState.Unrestricted).Deny();
}
在 .NET 5 和更新版本中,大部分的 CAS 相關 API 已經過時,並產生編譯時期警告 SYSLIB0003 。
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")] // warning SYSLIB0003
public void DoSomething()
{
new SocketPermission(PermissionState.Unrestricted).Assert(); // warning SYSLIB0003
new SocketPermission(PermissionState.Unrestricted).Deny(); // warning SYSLIB0003
}
這是僅限編譯時間的變更。 舊版 .NET Core 沒有執行時間變更。 在 .NET Core 2.x - 3.x 中執行任何作業的方法將繼續在 .NET 5 和更新版本中的執行時間執行任何作業。 在 .NET Core 2.x - 3.x 中擲回 PlatformNotSupportedException 的方法將繼續在 .NET 5 和更新版本中的執行時間擲回 PlatformNotSupportedException 。
變更原因
程式碼存取安全性 (CAS) 是不支援的舊版技術。 啟用 CAS 的基礎結構只存在於 .NET Framework 2.x - 4.x 中,但已被取代,而不會接收服務或安全性修正。
由於 CAS 已淘汰, 因此不支援的基礎結構會轉送至 .NET Core 或 .NET 5+。 不過,API 已向前提出,讓應用程式可以針對 .NET Framework 和 .NET Core 進行交叉編譯。 這會導致「開啟失敗」案例,其中某些 CAS 相關 API 存在且可呼叫,但在執行時間執行任何動作。 這可能會導致預期執行時間接受 CAS 相關屬性或程式設計 API 呼叫之元件的安全性問題。 為了更妥善地傳達執行時間不尊重這些屬性或 API,我們已在 .NET 5.0 中淘汰大部分屬性。
導入的版本
5.0
建議的動作
如果您要判斷提示任何安全性許可權,請移除判斷提示許可權的屬性或呼叫。
// REMOVE the attribute below. [SecurityPermission(SecurityAction.Assert, ControlThread = true)] public void DoSomething() { } public void DoAssert() { // REMOVE the line below. new SecurityPermission(SecurityPermissionFlag.ControlThread).Assert(); }如果您拒絕或限制任何
PermitOnly許可權,請連絡您的安全性顧問。 因為 .NET 5+ 執行時間不接受 CAS 屬性,所以如果應用程式不正確地依賴 CAS 基礎結構來限制對這些方法的存取,您的應用程式可能會有安全性漏洞。// REVIEW the attribute below; could indicate security vulnerability. [SecurityPermission(SecurityAction.Deny, ControlThread = true)] public void DoSomething() { } public void DoPermitOnly() { // REVIEW the line below; could indicate security vulnerability. new SecurityPermission(SecurityPermissionFlag.ControlThread).PermitOnly(); }如果您要要求任何許可權(但除外 PrincipalPermission ),請移除需求。 所有需求都會在執行時間成功。
// REMOVE the attribute below; it will always succeed. [SecurityPermission(SecurityAction.Demand, ControlThread = true)] public void DoSomething() { } public void DoDemand() { // REMOVE the line below; it will always succeed. new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand(); }如果您要要求 PrincipalPermission ,請參閱 PrincipalPermissionAttribute 的 指引已過時為錯誤 。 該指導方針適用于 PrincipalPermission 和 PrincipalPermissionAttribute 。
如果您絕對必須停用這些警告(不建議這麼做),您可以在程式碼中隱藏
SYSLIB0003警告。#pragma warning disable SYSLIB0003 // disable the warning [SecurityPermission(SecurityAction.Demand, ControlThread = true)] #pragma warning restore SYSLIB0003 // re-enable the warning public void DoSomething() { } public void DoDemand() { #pragma warning disable SYSLIB0003 // disable the warning new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand(); #pragma warning restore SYSLIB0003 // re-enable the warning }您也可以隱藏專案檔中的警告。 這樣做會停用專案內所有原始程式檔的警告。
<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <TargetFramework>net5.0</TargetFramework> <!-- NoWarn below suppresses SYSLIB0003 project-wide --> <NoWarn>$(NoWarn);SYSLIB0003</NoWarn> </PropertyGroup> </Project>注意
SYSLIB0003隱藏只會停用 CAS 相關的抹去警告。 它不會停用任何其他警告,或變更 .NET 5+ 執行時間的行為。安全性
受影響的 API
- System.AppDomain.PermissionSet
- System.Configuration.ConfigurationPermission
- System.Configuration.ConfigurationPermissionAttribute
- System.Data.Common.DBDataPermission
- System.Data.Common.DBDataPermissionAttribute
- System.Data.Odbc.OdbcPermission
- System.Data.Odbc.OdbcPermissionAttribute
- System.Data.OleDb.OleDbPermission
- System.Data.OleDb.OleDbPermissionAttribute
- System.Data.OracleClient.OraclePermission
- System.Data.OracleClient.OraclePermissionAttribute
- System.Data.SqlClient.SqlClientPermission
- System.Data.SqlClient.SqlClientPermissionAttribute
- System.Diagnostics.EventLogPermission
- System.Diagnostics.EventLogPermissionAttribute
- System.Diagnostics.PerformanceCounterPermission
- System.Diagnostics.PerformanceCounterPermissionAttribute
- System.DirectoryServices.DirectoryServicesPermission
- System.DirectoryServices.DirectoryServicesPermissionAttribute
- System.Drawing.Printing.PrintingPermission
- System.Drawing.Printing.PrintingPermissionAttribute
- System.Net.DnsPermission
- System.Net.DnsPermissionAttribute
- System.Net.Mail.SmtpPermission
- System.Net.Mail.SmtpPermissionAttribute
- System.Net.NetworkInformation.NetworkInformationPermission
- System.Net.NetworkInformation.NetworkInformationPermissionAttribute
- System.Net.PeerToPeer.Collaboration.PeerCollaborationPermission
- System.Net.PeerToPeer.Collaboration.PeerCollaborationPermissionAttribute
- System.Net.PeerToPeer.PnrpPermission
- System.Net.PeerToPeer.PnrpPermissionAttribute
- System.Net.SocketPermission
- System.Net.SocketPermissionAttribute
- System.Net.WebPermission
- System.Net.WebPermissionAttribute
- System.Runtime.InteropServices.AllowReversePInvokeCallsAttribute
- System.Security.CodeAccessPermission
- System.Security.HostProtectionException
- System.Security.IPermission
- System.Security.IStackWalk
- System.Security.NamedPermissionSet
- System.Security.PermissionSet
- System.Security.Permissions.CodeAccessSecurityAttribute
- System.Security.Permissions.DataProtectionPermission
- System.Security.Permissions.DataProtectionPermissionAttribute
- System.Security.Permissions.DataProtectionPermissionFlags
- System.Security.Permissions.EnvironmentPermission
- System.Security.Permissions.EnvironmentPermissionAccess
- System.Security.Permissions.EnvironmentPermissionAttribute
- System.Security.Permissions.FileDialogPermission
- System.Security.Permissions.FileDialogPermissionAccess
- System.Security.Permissions.FileDialogPermissionAttribute
- System.Security.Permissions.FileIOPermission
- System.Security.Permissions.FileIOPermissionAccess
- System.Security.Permissions.FileIOPermissionAttribute
- System.Security.Permissions.GacIdentityPermission
- System.Security.Permissions.GacIdentityPermissionAttribute
- System.Security.Permissions.HostProtectionAttribute
- System.Security.Permissions.HostProtectionResource
- System.Security.Permissions.IUnrestrictedPermission
- System.Security.Permissions.IsolatedStorageContainment
- System.Security.Permissions.IsolatedStorageFilePermission
- System.Security.Permissions.IsolatedStorageFilePermissionAttribute
- System.Security.Permissions.IsolatedStoragePermission
- System.Security.Permissions.IsolatedStoragePermissionAttribute
- System.Security.Permissions.KeyContainerPermission
- System.Security.Permissions.KeyContainerPermissionAccessEntry
- System.Security.Permissions.KeyContainerPermissionAccessEntryCollection
- System.Security.Permissions.KeyContainerPermissionAccessEntryEnumerator
- System.Security.Permissions.KeyContainerPermissionAttribute
- System.Security.Permissions.KeyContainerPermissionFlags
- System.Security.Permissions.MediaPermission
- System.Security.Permissions.MediaPermissionAttribute
- System.Security.Permissions.MediaPermissionAudio
- System.Security.Permissions.MediaPermissionImage
- System.Security.Permissions.MediaPermissionVideo
- System.Security.Permissions.PermissionSetAttribute
- System.Security.Permissions.PermissionState
- System.Security.Permissions.PrincipalPermission
- System.Security.Permissions.PrincipalPermissionAttribute
- System.Security.Permissions.PublisherIdentityPermission
- System.Security.Permissions.PublisherIdentityPermissionAttribute
- System.Security.Permissions.ReflectionPermission
- System.Security.Permissions.ReflectionPermissionAttribute
- System.Security.Permissions.ReflectionPermissionFlag
- System.Security.Permissions.RegistryPermission
- System.Security.Permissions.RegistryPermissionAccess
- System.Security.Permissions.RegistryPermissionAttribute
- System.Security.Permissions.ResourcePermissionBase
- System.Security.Permissions.ResourcePermissionBaseEntry
- System.Security.Permissions.SecurityAction
- System.Security.Permissions.SecurityAttribute
- System.Security.Permissions.SecurityPermission
- System.Security.Permissions.SecurityPermissionAttribute
- System.Security.Permissions.SecurityPermissionFlag
- System.Security.Permissions.SiteIdentityPermission
- System.Security.Permissions.SiteIdentityPermissionAttribute
- System.Security.Permissions.StorePermission
- System.Security.Permissions.StorePermissionAttribute
- System.Security.Permissions.StorePermissionFlags
- System.Security.Permissions.StrongNameIdentityPermission
- System.Security.Permissions.StrongNameIdentityPermissionAttribute
- System.Security.Permissions.StrongNamePublicKeyBlob
- System.Security.Permissions.TypeDescriptorPermission
- System.Security.Permissions.TypeDescriptorPermissionAttribute
- System.Security.Permissions.TypeDescriptorPermissionFlags
- System.Security.Permissions.UIPermission
- System.Security.Permissions.UIPermissionAttribute
- System.Security.Permissions.UIPermissionClipboard
- System.Security.Permissions.UIPermissionWindow
- System.Security.Permissions.UrlIdentityPermission
- System.Security.Permissions.UrlIdentityPermissionAttribute
- System.Security.Permissions.WebBrowserPermission
- System.Security.Permissions.WebBrowserPermissionAttribute
- System.Security.Permissions.WebBrowserPermissionLevel
- System.Security.Permissions.ZoneIdentityPermission
- System.Security.Permissions.ZoneIdentityPermissionAttribute
- System.Security.Policy.ApplicationTrust.ApplicationTrust(PermissionSet, IEnumerable < StrongName > )
- System.Security.Policy.ApplicationTrust.FullTrustAssemblies
- System.Security.Policy.FileCodeGroup
- System.Security.Policy.GacInstalled
- System.Security.Policy.IIdentityPermissionFactory
- System.Security.Policy.PolicyLevel.AddNamedPermissionSet(NamedPermissionSet)
- System.Security.Policy.PolicyLevel.ChangeNamedPermissionSet(String, PermissionSet)
- System.Security.Policy.PolicyLevel.GetNamedPermissionSet(String)
- System.Security.Policy.PolicyLevel.RemoveNamedPermissionSet
- System.Security.Policy.PolicyStatement.PermissionSet
- System.Security.Policy.PolicyStatement.PolicyStatement
- System.Security.Policy.Publisher
- System.Security.Policy.Site
- System.Security.Policy.StrongName
- System.Security.Policy.StrongNameMembershipCondition
- System.Security.Policy.Url
- System.Security.Policy.Zone
- System.Security.SecurityManager
- System.ServiceProcess.ServiceControllerPermission
- System.ServiceProcess.ServiceControllerPermissionAttribute
- System.Transactions.DistributedTransactionPermission
- System.Transactions.DistributedTransactionPermissionAttribute
- System.Web.AspNetHostingPermission
- System.Web.AspNetHostingPermissionAttribute
- System.Xaml.Permissions.XamlLoadPermission
意見反應
提交並檢視相關的意見反應