# Runtime Changes for Migration from .NET Framework 4.7.1 to 4.7.2

## Introduction

Runtime changes affect all apps that are running under a .NET Framework it was not compiled against and that use a particular feature.

In the topics that describe runtime changes, we have classified individual items by their expected impact, as follows:

Major This is a significant change that affects a large number of apps or that requires substantial modification of code.

Minor This is a change that affects a small number of apps or that requires minor modification of code.

Edge case This is a change that affects apps under very specific scenarios that are not common.

Transparent This is a change that has no noticeable effect on the app's developer or user. The app should not require modification because of this change.

If you are migrating from the .NET Framework 4.7.1 to 4.7.2, review the following topics for application compatibility issues that may affect your app:

## Core

### Allow Unicode in URIs that resemble UNC shares

Details In System.Uri, constructing a file URI containing both a UNC share name and Unicode characters will no longer result in a URI with invalid internal state. The behavior will change only when all of the following are true:
• The URI has the scheme file: and is followed by four or more slashes.
• The host name begins with an underscore or other non-reserved symbol.
• The URI contains Unicode characters.
Suggestion Applications working with URIs consistently containing Unicode could have conceivably used this behavior to disallow references to UNC shares. Those applications should use IsUnc instead.
Scope Edge
Version 4.7.2
Type Runtime
Affected APIs

### Support special relative URI notation when Unicode is present

Details Uri will no longer throw a NullReferenceException when calling TryCreate on certain relative URIs containing Unicode.The simplest reproduction of the NullReferenceException is below, with the two statements being equivalent:
bool success = Uri.TryCreate("http:%C3%A8", UriKind.RelativeOrAbsolute, out Uri href);
bool success = Uri.TryCreate("http:è", UriKind.RelativeOrAbsolute, out Uri href);

To reproduce the NullReferenceException, the following items must be true:
• The URI must be specified as relative by prepending it with ‘http:’ and not following it with ‘//’.
• The URI must contain percent-encoded Unicode or unreserved symbols.
Suggestion Users depending on this behavior to disallow relative URIs should instead specify UriKind.Absolute when creating a URI.
Scope Edge
Version 4.7.2
Type Runtime
Affected APIs

## Runtime

### Improved WCF chain trust certificate validation for Net.Tcp certificate authentication

Details .NET Framework 4.7.2 improves chain trust certificate validation when using certificate authentication with transport security with WCF. With this improvement, client certificates that are used to authenticate to a server must be configured for client authentication. Similarly server certificates that are for the authenticating a server must be configured for server authentication. With this change, if the root certificate is disabled, the certificate chain validation fails. The same change was also made to .NET Framework 3.5 and later versions via Windows security roll-up. You can find more information here.This change is on by default and can be turned off by a configuration setting.
Suggestion
• Validate if your server and client certification has the required EKU OID. If not, update your certification.
• Validate if your root certificate is invalid. If so, update the root certificate.
• How to opt out of the change: If you can't update the certificate, you can work around the breaking change temporarily with the following configration setting, However, opting out of the change will leave your system vulnerable to the security issue.
<appSettings>
</appSettings>

Scope Minor
Version 4.7.2
Type Runtime

## Web Applications

### "dataAnnotations:dataTypeAttribute:disableRegEx" app setting is on by default in .NET Framework 4.7.2

Details In .NET Framework 4.6.1, an app setting ("dataAnnotations:dataTypeAttribute:disableRegEx") was introduced that allows users to disable the use of regular expressions in data type attributes (such as System.ComponentModel.DataAnnotations.EmailAddressAttribute, System.ComponentModel.DataAnnotations.UrlAttribute, and System.ComponentModel.DataAnnotations.PhoneAttribute). This helps to reduce security vulnerability such as avoiding the possibility of a Denial of Service attack using specific regular expressions.
In .NET Framework 4.6.1, this app setting to disable RegEx usage was set to false by default. Staring with .NET Framework 4.7.2, this config switch is set to true by default to further reduce secure vulnerability for web applications that target .NET Framework 4.7.2 and above.
Suggestion If you find that regular expressions in your web application do not work after upgrading to .NET Framework 4.7.2, you can update the value of the "dataAnnotations:dataTypeAttribute:disableRegEx" setting to false to revert to the previous behavior.
<configuration>
<appSettings>
...
...
</appSettings>
</configuration>

Scope Minor
Version 4.7.2
Type Runtime

## Windows Presentation Foundation (WPF)

### Keytips behavior improved in WPF

Details Keytips behavior has been modified to bring parity with behavior on Microsoft Word and Windows Explorer. By checking whether keytip state is enabled or not in the case of a SystemKey (in particular, Key or F11) being pressed, WPF handles keytip keys appropriately. Keytips now dismiss a menu even when it is opened by mouse.
Suggestion N/A
Scope Edge
Version 4.7.2
Type Runtime