ASP.NET MVC的安全补丁版本3.0.0.1符建 [英] ASP.NET MVC security patch to version 3.0.0.1 breaks build
问题描述
在安装ASP.NET MVC 3安全更新 KB2990942 出现了MVC的版本从增加3.0.0.0 到 3.0.0.1 。这将导致Visual Studio中再也找不到参考。
<参考包括=System.Web.Mvc,版本= 3.0.0.0,文化=中性公钥= 31bf3856ad364e35,的ProcessorArchitecture = MSIL/>
ReSharper的没有表现出任何问题,但构建失败,有很多未解决的MVC类型的一个警告:
警告:无法解析此引用。无法找到 集结号System.Web.Mvc,版本= 3.0.0.0,文化=中立, 公钥= 31bf3856ad364e35,的ProcessorArchitecture = MSIL。检查 确保组件存在于磁盘上。如果此引用是必需的 通过您的code,你可能会得到编译错误。
这种有道理的。此版本不再我的机器上存在。
我不能保证确切的MVC版本的开发机,构建服务器和生产服务器。他们可能有 3.0.0.0 或 3.0.0.1 ,这可能会改变在任何时间。 Windows更新可能会发布新版本的MVC在任何时间。另外,我不希望每当一个MVC更新发布,以增加在所有的* .csproj的文件的版本号。
多个版本都受更新:
- KB 2993939:安全更新微软ASP.NET MVC 2
- KB 2993937:安全更新微软ASP.NET MVC 3
- KB 2993928:安全更新微软ASP.NET MVC 4.0
- KB 2992080:安全更新微软ASP.NET MVC 5.0
该安全公告: MS14-059:漏洞在ASP.NET MVC中可能允许安全功能旁路(2990942)
什么是处理这种情况的最好方法是什么?我怎样才能别让建设和生产安全有关未来MVC更新?
我通过固定这个
- 删除MVC参考,并添加正确的参考项目。
- 更改参考的
复制本地属性真。 - 更新
bindingRedirect在web.config中设置:
web.config中运行部分:
<运行>
< assemblyBinding的xmlns =瓮:架构 - 微软COM:asm.v1>
< dependentAssembly>
< assemblyIdentity名=System.Web.Mvc公钥=31bf3856ad364e35/>
< bindingRedirect oldVersion =1.0.0.0-3.0.0.0NEWVERSION =3.0.0.1/>
< / dependentAssembly>
...
更改复制本地设置将包括在<$ c中的 System.Web.Mvc.dll程序文件$ C>斌当您发布的项目,所以它的工作原理,即使在服务器未更新与新版本的文件夹。
请注意,像这样的更新情况很少发生。这是第一次发现的MVC 3已修补因为它被释放。你应该能够改变复制本地返回假一旦服务器已经更新。下一次微软让这样的更新,他们可能会知道解决问题,这样的第一。
After installing the ASP.NET MVC 3 security update KB2990942 it appears the MVC version increased from 3.0.0.0 to 3.0.0.1. This causes Visual Studio to no longer find the reference.
<Reference Include="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
Resharper does not show any problems but the build fails with lots of unresolved MVC types and a warning:
Warning: Could not resolve this reference. Could not locate the assembly "System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors.
This kind of makes sense. This version no longer exists on my machine.
I cannot guarantee the exact MVC version on dev machines, build servers and production servers. They might have 3.0.0.0 or 3.0.0.1 and this might change at any time. Windows Update might release new MVC versions at any time. Also, I don't want to increase the version number in all *.csproj files whenever an MVC update is released.
Multiple versions are affected by the update:
- KB 2993939: Security Update for Microsoft ASP.NET MVC 2
- KB 2993937: Security Update for Microsoft ASP.NET MVC 3
- KB 2993928: Security Update for Microsoft ASP.NET MVC 4.0
- KB 2992080: Security Update for Microsoft ASP.NET MVC 5.0
The security bulletin: MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)
What's the best way to deal with this situation? How can I unbreak build and production and be safe regarding future MVC updates?
I fixed this by:
- Removing the MVC reference and add the correct reference to the project.
- Changing the
Copy Localproperty of the reference totrue. - Update the
bindingRedirectsetting inweb.config:
web.config runtime section:
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.1" />
</dependentAssembly>
...
Changing the Copy Local setting will include the System.Web.MVC.dll file in the bin folder when you publish the project, so that it works even if the server is not updated with the new version.
Note that updates like this rarely happens. This is the first time that MVC 3 has been patched since it was released. You should be able to change Copy Local back to false once the servers has been updated. The next time Microsoft makes an update like this, they will probably know to fix issues like this first.
这篇关于ASP.NET MVC的安全补丁版本3.0.0.1符建的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
