Tool manifests in root folder
.NET no longer looks for local tool manifest files in the root folder on Windows, unless overridden via the DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT environment variable. This change does not impact Linux or macOS.
Previous behavior
Previously, .NET SDK local tools checked the root folder on all platforms when searching for a tool manifest. The search continued from the current directory up the directory tree to the root folder until it found a manifest. At each level, .NET searches for the tool manifest, named dotnet-tools.json, in a .config subfolder. On a Windows system, if no other tool manifest was found, the SDK ultimately looked for a tool manifest in C:\.config\dotnet-tools.json.
New behavior
.NET no longer searches in the root folder of the current directory tree by default on Windows, unless overridden via the DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT environment variable. DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT is set to false by default.
Version introduced
- .NET SDK 7.0.3xx
- .NET SDK 7.0.1xx
- .NET SDK 6.0.4xx
- .NET SDK 6.0.3xx
- .NET SDK 6.0.1xx
- .NET SDK 3.1.4xx
Type of breaking change
This change is a behavioral change.
Reason for change
This change was made to address a security concern. Since all users can create files and folders in the C:\ directory on Windows, low-privilege attackers can hijack the C:\.config\dotnet-tools.json file. When an administrator runs a dotnet tool command, the tool could potentially read malicious configuration information from the file and download and run malicious tools.
Recommended action
To disable the new behavior, set the DOTNET_TOOLS_ALLOW_MANIFEST_IN_ROOT environment variable to true or 1.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for