admin管理员组

文章数量:1302267

In a C# .Net application, is BinaryFormatter used to deserialize resource image data embedded in the application via .resx files and Resource Explorer?

I've been handed a .Net application and the task of eliminating the use of BinaryFormatter due to the security concerns inherent to BinaryFormatter. The original author used Visual Studio Resource Explorer to create .resx files and to embed bitmap image data (images for the GUI, etc..) into a library (dll), and that dll gets linked into the final application, a stand alone exe.

Inside the .resx file, the images are embedded like this:

  <data name="MyImage" type="System.Resources.ResXFileRef, System.Windows.Forms">
    <value>..\images\MyImage.png;System.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=1234567890ABCEF0</value>
  </data>

Inside the auto-generated ResourcesDesigner.cs file, the images are extracted like this:

public static System.Drawing.Bitmap Captured {
    get {
        object obj = ResourceManager.GetObject("MyImage", resourceCulture);
        return ((System.Drawing.Bitmap)(obj));
    }
}

Looking at the compiler output, this .resx file gets converted to a .resources file by CoreResGen, then that .resources file is embedded in the dll, which must be embedded in the exe because the exe is all by itself. My understanding is BinaryFormatter is not used when extracting this embedded resources data from the exe at runtime. Can anyone confirm that this is correct or not?

In a C# .Net application, is BinaryFormatter used to deserialize resource image data embedded in the application via .resx files and Resource Explorer?

I've been handed a .Net application and the task of eliminating the use of BinaryFormatter due to the security concerns inherent to BinaryFormatter. The original author used Visual Studio Resource Explorer to create .resx files and to embed bitmap image data (images for the GUI, etc..) into a library (dll), and that dll gets linked into the final application, a stand alone exe.

Inside the .resx file, the images are embedded like this:

  <data name="MyImage" type="System.Resources.ResXFileRef, System.Windows.Forms">
    <value>..\images\MyImage.png;System.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=1234567890ABCEF0</value>
  </data>

Inside the auto-generated ResourcesDesigner.cs file, the images are extracted like this:

public static System.Drawing.Bitmap Captured {
    get {
        object obj = ResourceManager.GetObject("MyImage", resourceCulture);
        return ((System.Drawing.Bitmap)(obj));
    }
}

Looking at the compiler output, this .resx file gets converted to a .resources file by CoreResGen, then that .resources file is embedded in the dll, which must be embedded in the exe because the exe is all by itself. My understanding is BinaryFormatter is not used when extracting this embedded resources data from the exe at runtime. Can anyone confirm that this is correct or not?

  • c#
  • resources
  • deserialization
  • binaryformatter
Share asked Feb 11 at 0:34 MattMatt 4477 silver badges16 bronze badges 8
  • 2 Can anyone confirm that this is correct or not?: Yes. You can. View the source code to find the information you're interested in. Reference Source and dotnet source code. – It all makes cents Commented Feb 11 at 4:24
  • If you are talking about a WinForms application, see learn.microsoft/en-us/dotnet/standard/serialization/… – Matthew Watson Commented Feb 11 at 9:13
  • If a type has a TypeConverter that is able to convert the corresponding type to string or byte[], then ResourceManager (well, in fact ResXDataNode under the hood) uses the type converter rather than a formatter. For Bitmap instances the parent Image class specifies the ImageConverter class that can convert to and from byte[]. – György Kőszeg Commented Feb 11 at 13:15
  • It looks like @MatthewWatson's comment is the answer your are looking for. He should consider writing it up as an answer (fleshed out a bit, so it's not just a link only answer – Flydog57 Commented Feb 11 at 22:47
  • Thanks all for the comments. From what I can tell, in .Net 8+, BinaryFormatter is not used when extracting resources that are embedded in the binary. But with .Net Framework 4.8.1, BinaryFormatter may still be used. I have to build for both .Net 8 and .Net Framework 4.8.1, so I'm now trying to figure out how to detect when BinaryFormatter is used, and if it's possible to throw an exception if/when it's used in the .Net Framework build. Or better yet, how to exclude it entirely. – Matt Commented Feb 13 at 22:15
 |  Show 3 more comments

1 Answer 1

Reset to default 0

After much research, this is my understanding.

In the case of .Net 9, BinaryFormatter is completely removed by default. Trying to use it will cause an error.

In the case of .Net 8 and .Net Framework 4.8.1: the compiler uses the info in the .resx file to create a binary .resources file. Those binary .resources files are embedded in the executable at compile time. When using the attribute System.Resources.ResXFileRef for the image files in the .resx files, a TypeConverter is used to create the binary .resources file. And since the image data embedded in the executable is already in binary format, BinaryFormatter is not used to extract it at runtime.

In summary, in my case above BinaryFormatter is not used for .Net Framework or .Net 8+. (I'm compiling the same code for both, to meet customer demands)

本文标签: cIs BinaryFormatter used to deserialize images embedded in an application via resx filesStack Overflow

版权声明:本文标题:c# - Is BinaryFormatter used to deserialize images embedded in an application via. .resx files? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741683993a2392335.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。