大多数代码访问安全 API 已过时
.NET 中大多数与代码访问安全性 (CAS) 相关的类型均已过时,并作为警告显示。 这包含 CAS 属性(如 SecurityPermissionAttribute)、CAS 权限对象(如 SocketPermission)、EvidenceBase 派生类型和其他支持 API。
更改描述
在 .NET Framework 2.x - 4.x 中,CAS 属性和 API 可能会影响代码执行过程,包括确保 CAS 需求堆栈遍历成功或失败。
// In .NET Framework, the attribute causes CAS stack walks
// to terminate successfully when this permission is demanded.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
// open a socket to contoso.com:443
}
在 .NET Core 2.x - 3.x 中,运行时不支持 CAS 属性或 CAS API。 运行时忽略方法输入的属性,并且大多数编程 API 均无效。
// The .NET Core runtime ignores the following attribute.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
// open a socket to contoso.com:443
}
此外,对扩展 API (Assert
) 的编程调用始终会成功,而对限制性 API(Deny
PermitOnly
)的编程调用始终会在运行时引发异常。 (PrincipalPermission 是此规则的例外情况。请参阅下面的建议操作部分。)
public void DoAssert()
{
// The line below has no effect at run time.
new SocketPermission(PermissionState.Unrestricted).Assert();
}
public void DoDeny()
{
// The line below throws PlatformNotSupportedException at run time.
new SocketPermission(PermissionState.Unrestricted).Deny();
}
在 .NET 5 及更高版本中,大多数与 CAS 相关的 API 被标记为已过时并生成编译时警告 SYSLIB0003
。
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")] // warning SYSLIB0003
public void DoSomething()
{
new SocketPermission(PermissionState.Unrestricted).Assert(); // warning SYSLIB0003
new SocketPermission(PermissionState.Unrestricted).Deny(); // warning SYSLIB0003
}
这是仅在编译时进行的更改。 以前版本的 .NET Core 没有运行时更改。 在 .NET Core 2.x - 3.x 中不执行任何操作的方法在 .NET 5 及更高版本中将继续在运行时不执行任何操作。 在 .NET Core 2.x - 3.x 中引发 PlatformNotSupportedException 的方法在 .NET 5 及更高版本中将继续在运行时引发 PlatformNotSupportedException。
更改原因
代码访问安全性 (CAS) 是一项不受支持的传统技术。 用于启用 CAS 的基础结构仅存在于 .NET Framework 2.x - 4.x,但现已弃用且不接受服务或安全修补。
由于 CAS 的弃用,支持基础结构未引入 .NET Core 或 .NET 5+。 但是,引入了这些 API,以便应用可以针对 .NET Framework 和 .NET Core 进行交叉编译。 这导致了“无法打开”的情况,在这种情况下,存在某些与 CAS 相关的 API 并可调用这些 API,但在运行时不执行任何操作。 这可能会导致组件的安全问题,这些组件期望运行时支持 CAS 相关的属性或编程 API 调用。 为了更好地传达运行时不遵从这些属性或 API,我们在 .NET 5.0 中淘汰了大多数属性或 API。
引入的版本
5.0
建议的操作
如果要断言任何安全权限,请删除断言该权限的属性或调用。
// REMOVE the attribute below. [SecurityPermission(SecurityAction.Assert, ControlThread = true)] public void DoSomething() { } public void DoAssert() { // REMOVE the line below. new SecurityPermission(SecurityPermissionFlag.ControlThread).Assert(); }
如果要拒绝或限制(通过
PermitOnly
)任何权限,请与安全顾问联系。 由于 .NET 5+ 运行时不支持 CAS 属性,因此如果应用程序错误地依赖于 CAS 基础结构来限制对这些方法的访问,则它可能存在安全漏洞。// REVIEW the attribute below; could indicate security vulnerability. [SecurityPermission(SecurityAction.Deny, ControlThread = true)] public void DoSomething() { } public void DoPermitOnly() { // REVIEW the line below; could indicate security vulnerability. new SecurityPermission(SecurityPermissionFlag.ControlThread).PermitOnly(); }
如果要求任何权限(除 PrincipalPermission 外),请删除该请求。 所有请求都将在运行时成功。
// REMOVE the attribute below; it will always succeed. [SecurityPermission(SecurityAction.Demand, ControlThread = true)] public void DoSomething() { } public void DoDemand() { // REMOVE the line below; it will always succeed. new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand(); }
如果要求 PrincipalPermission,请参阅 PrincipalPermissionAttribute 已过时,报告为错误指南。 本指南适用于 PrincipalPermission 和 PrincipalPermissionAttribute。
如果确实必须禁用这些警告(不建议这样做),则可以在代码中取消
SYSLIB0003
警告。#pragma warning disable SYSLIB0003 // disable the warning [SecurityPermission(SecurityAction.Demand, ControlThread = true)] #pragma warning restore SYSLIB0003 // re-enable the warning public void DoSomething() { } public void DoDemand() { #pragma warning disable SYSLIB0003 // disable the warning new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand(); #pragma warning restore SYSLIB0003 // re-enable the warning }
另外,还可以在项目文件中取消该警告。 这样做会对项目中所有源文件禁用该警告。
<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <TargetFramework>net5.0</TargetFramework> <!-- NoWarn below suppresses SYSLIB0003 project-wide --> <NoWarn>$(NoWarn);SYSLIB0003</NoWarn> </PropertyGroup> </Project>
注意
取消
SYSLIB0003
仅禁用与 CAS 相关的过时警告。 不会禁用任何其他警告,也不会更改 .NET 5+ 运行时的行为。安全性
受影响的 API
- System.AppDomain.PermissionSet
- System.Configuration.ConfigurationPermission
- System.Configuration.ConfigurationPermissionAttribute
- System.Data.Common.DBDataPermission
- System.Data.Common.DBDataPermissionAttribute
- System.Data.Odbc.OdbcPermission
- System.Data.Odbc.OdbcPermissionAttribute
- System.Data.OleDb.OleDbPermission
- System.Data.OleDb.OleDbPermissionAttribute
- System.Data.OracleClient.OraclePermission
- System.Data.OracleClient.OraclePermissionAttribute
- System.Data.SqlClient.SqlClientPermission
- System.Data.SqlClient.SqlClientPermissionAttribute
- System.Diagnostics.EventLogPermission
- System.Diagnostics.EventLogPermissionAttribute
- System.Diagnostics.PerformanceCounterPermission
- System.Diagnostics.PerformanceCounterPermissionAttribute
- System.DirectoryServices.DirectoryServicesPermission
- System.DirectoryServices.DirectoryServicesPermissionAttribute
- System.Drawing.Printing.PrintingPermission
- System.Drawing.Printing.PrintingPermissionAttribute
- System.Net.DnsPermission
- System.Net.DnsPermissionAttribute
- System.Net.Mail.SmtpPermission
- System.Net.Mail.SmtpPermissionAttribute
- System.Net.NetworkInformation.NetworkInformationPermission
- System.Net.NetworkInformation.NetworkInformationPermissionAttribute
- System.Net.PeerToPeer.Collaboration.PeerCollaborationPermission
- System.Net.PeerToPeer.Collaboration.PeerCollaborationPermissionAttribute
- System.Net.PeerToPeer.PnrpPermission
- System.Net.PeerToPeer.PnrpPermissionAttribute
- System.Net.SocketPermission
- System.Net.SocketPermissionAttribute
- System.Net.WebPermission
- System.Net.WebPermissionAttribute
- System.Runtime.InteropServices.AllowReversePInvokeCallsAttribute
- System.Security.CodeAccessPermission
- System.Security.HostProtectionException
- System.Security.IPermission
- System.Security.IStackWalk
- System.Security.NamedPermissionSet
- System.Security.PermissionSet
- System.Security.Permissions.CodeAccessSecurityAttribute
- System.Security.Permissions.DataProtectionPermission
- System.Security.Permissions.DataProtectionPermissionAttribute
- System.Security.Permissions.DataProtectionPermissionFlags
- System.Security.Permissions.EnvironmentPermission
- System.Security.Permissions.EnvironmentPermissionAccess
- System.Security.Permissions.EnvironmentPermissionAttribute
- System.Security.Permissions.FileDialogPermission
- System.Security.Permissions.FileDialogPermissionAccess
- System.Security.Permissions.FileDialogPermissionAttribute
- System.Security.Permissions.FileIOPermission
- System.Security.Permissions.FileIOPermissionAccess
- System.Security.Permissions.FileIOPermissionAttribute
- System.Security.Permissions.GacIdentityPermission
- System.Security.Permissions.GacIdentityPermissionAttribute
- System.Security.Permissions.HostProtectionAttribute
- System.Security.Permissions.HostProtectionResource
- System.Security.Permissions.IUnrestrictedPermission
- System.Security.Permissions.IsolatedStorageContainment
- System.Security.Permissions.IsolatedStorageFilePermission
- System.Security.Permissions.IsolatedStorageFilePermissionAttribute
- System.Security.Permissions.IsolatedStoragePermission
- System.Security.Permissions.IsolatedStoragePermissionAttribute
- System.Security.Permissions.KeyContainerPermission
- System.Security.Permissions.KeyContainerPermissionAccessEntry
- System.Security.Permissions.KeyContainerPermissionAccessEntryCollection
- System.Security.Permissions.KeyContainerPermissionAccessEntryEnumerator
- System.Security.Permissions.KeyContainerPermissionAttribute
- System.Security.Permissions.KeyContainerPermissionFlags
- System.Security.Permissions.MediaPermission
- System.Security.Permissions.MediaPermissionAttribute
- System.Security.Permissions.MediaPermissionAudio
- System.Security.Permissions.MediaPermissionImage
- System.Security.Permissions.MediaPermissionVideo
- System.Security.Permissions.PermissionSetAttribute
- System.Security.Permissions.PermissionState
- System.Security.Permissions.PrincipalPermission
- System.Security.Permissions.PrincipalPermissionAttribute
- System.Security.Permissions.PublisherIdentityPermission
- System.Security.Permissions.PublisherIdentityPermissionAttribute
- System.Security.Permissions.ReflectionPermission
- System.Security.Permissions.ReflectionPermissionAttribute
- System.Security.Permissions.ReflectionPermissionFlag
- System.Security.Permissions.RegistryPermission
- System.Security.Permissions.RegistryPermissionAccess
- System.Security.Permissions.RegistryPermissionAttribute
- System.Security.Permissions.ResourcePermissionBase
- System.Security.Permissions.ResourcePermissionBaseEntry
- System.Security.Permissions.SecurityAction
- System.Security.Permissions.SecurityAttribute
- System.Security.Permissions.SecurityPermission
- System.Security.Permissions.SecurityPermissionAttribute
- System.Security.Permissions.SecurityPermissionFlag
- System.Security.Permissions.SiteIdentityPermission
- System.Security.Permissions.SiteIdentityPermissionAttribute
- System.Security.Permissions.StorePermission
- System.Security.Permissions.StorePermissionAttribute
- System.Security.Permissions.StorePermissionFlags
- System.Security.Permissions.StrongNameIdentityPermission
- System.Security.Permissions.StrongNameIdentityPermissionAttribute
- System.Security.Permissions.StrongNamePublicKeyBlob
- System.Security.Permissions.TypeDescriptorPermission
- System.Security.Permissions.TypeDescriptorPermissionAttribute
- System.Security.Permissions.TypeDescriptorPermissionFlags
- System.Security.Permissions.UIPermission
- System.Security.Permissions.UIPermissionAttribute
- System.Security.Permissions.UIPermissionClipboard
- System.Security.Permissions.UIPermissionWindow
- System.Security.Permissions.UrlIdentityPermission
- System.Security.Permissions.UrlIdentityPermissionAttribute
- System.Security.Permissions.WebBrowserPermission
- System.Security.Permissions.WebBrowserPermissionAttribute
- System.Security.Permissions.WebBrowserPermissionLevel
- System.Security.Permissions.ZoneIdentityPermission
- System.Security.Permissions.ZoneIdentityPermissionAttribute
- System.Security.Policy.ApplicationTrust.ApplicationTrust(PermissionSet, IEnumerable<StrongName>)
- System.Security.Policy.ApplicationTrust.FullTrustAssemblies
- System.Security.Policy.FileCodeGroup
- System.Security.Policy.GacInstalled
- System.Security.Policy.IIdentityPermissionFactory
- System.Security.Policy.PolicyLevel.AddNamedPermissionSet(NamedPermissionSet)
- System.Security.Policy.PolicyLevel.ChangeNamedPermissionSet(String, PermissionSet)
- System.Security.Policy.PolicyLevel.GetNamedPermissionSet(String)
- System.Security.Policy.PolicyLevel.RemoveNamedPermissionSet
- System.Security.Policy.PolicyStatement.PermissionSet
- System.Security.Policy.PolicyStatement.PolicyStatement
- System.Security.Policy.Publisher
- System.Security.Policy.Site
- System.Security.Policy.StrongName
- System.Security.Policy.StrongNameMembershipCondition
- System.Security.Policy.Url
- System.Security.Policy.Zone
- System.Security.SecurityManager
- System.ServiceProcess.ServiceControllerPermission
- System.ServiceProcess.ServiceControllerPermissionAttribute
- System.Transactions.DistributedTransactionPermission
- System.Transactions.DistributedTransactionPermissionAttribute
- System.Web.AspNetHostingPermission
- System.Web.AspNetHostingPermissionAttribute
- System.Xaml.Permissions.XamlLoadPermission
反馈
https://aka.ms/ContentUserFeedback。
即将发布:在整个 2024 年,我们将逐步淘汰作为内容反馈机制的“GitHub 问题”,并将其取代为新的反馈系统。 有关详细信息,请参阅:提交和查看相关反馈