BinaryFormatter introduces security vulerabilities and is disabled in dotnet 8
hahn-kev opened this issue · 0 comments
hahn-kev commented
dotnet 8 disables BinaryFormatter for good reason, it's very insecure.
HgResumeTransport is using it here and a couple lines down in ReadServerRevisionCache. From what I can tell it's just being used to persist a fairly simple data structure to the file system, there's even some notes about fixing it. That time has come.
What's this file used for and can we just change the format and delete the old version? or must we migrate the data?
also, we can't just kick this down the road anymore. dotnet 9 will remove the API altogether