changed default behavior to deny types during deserialization

michaelschwarz · Nov 22, 2021 · 3cdf0d3 · 3cdf0d3
1 parent a8a991b
commit 3cdf0d3
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 7 deletions.
diff --git a/AjaxPro/AssemblyInfo.cs b/AjaxPro/AssemblyInfo.cs
@@ -24,7 +24,7 @@
  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 /* Developers of Ajax.NET Professional (AjaxPro)
- * MS	Michael Schwarz		[email protected]
+ * MS	Michael Schwarz
  * TB	Tim Byng			
  * MR	Matthew Raymer
  * 
@@ -40,6 +40,8 @@
  * MS	06-06-11	added ReflectionPermission attribute
  * MS	06-07-19	removed ReflectionPermission attribute (why did we add it?)
  * MS	21-10-30	added contentSecurityPolicy to specify a nonce for all scripts
+ * MS	21-11-22	changed default behavior of passing types during deserialization to deny
+ * 
  * 
  */
 using System;
@@ -91,7 +93,7 @@
 // You can specify all the values or you can default the Revision and Build Numbers 
 // by using the '*' as shown below:
 
-[assembly:				AssemblyVersion("21.10.30.1")]		// do not remove the blanks!!!!
+[assembly:				AssemblyVersion("21.11.22.1")]		// do not remove the blanks!!!!
 
 //
 // In order to sign your assembly you must specify a key to use. Refer to the 

diff --git a/AjaxPro/Configuration/AjaxSettingsSectionHandler.cs b/AjaxPro/Configuration/AjaxSettingsSectionHandler.cs
@@ -167,7 +167,7 @@ public object Create(object parent, object configContext, System.Xml.XmlNode sec
 				}
 				else if (n.Name == "jsonDeserializationCustomTypes")
 				{
-					settings.IsJsonDeserializationCustomTypesDenied = n.Attributes["default"] == null || n.Attributes["default"].InnerText.ToLower() != "allow";
+					settings.IsCustomTypesDeserializationDisabled = n.Attributes["default"] == null || n.Attributes["default"].InnerText.ToLower() != "allow";
 
 					foreach (XmlNode sn in n.ChildNodes)
 					{

diff --git a/AjaxPro/JSON/JavaScriptDeserializer.cs b/AjaxPro/JSON/JavaScriptDeserializer.cs
@@ -37,6 +37,7 @@
  * MS	06-07-11	added generic method for DeserializeFromJson
  * MS	06-09-26	improved performance removing three-times cast
  * MS	21-10-27	added allowed customized types for JSON deserialization
+ * MS	21-11-22	changed error message when type is not allowed
  * 
  * 
  */
@@ -146,7 +147,7 @@ public static object Deserialize(IJavaScriptObject o, Type type)
 				{
 					type = t;
 
-					if (AjaxPro.Utility.Settings.IsJsonDeserializationCustomTypesDenied)
+					if (AjaxPro.Utility.Settings.IsCustomTypesDeserializationDisabled)
 					{
 						bool isCustomTypeAllowed = false;
 
@@ -158,13 +159,13 @@ public static object Deserialize(IJavaScriptObject o, Type type)
 							}
 
 						if (!isCustomTypeAllowed)
-							throw new System.Security.SecurityException("This cusomized type is not allowed as argument for this method.");
+							throw new System.Security.SecurityException("This type is not allowed as argument for this method.");
 					}
 					else
 					{
 						foreach (var s in AjaxPro.Utility.Settings.JsonDeserializationCustomTypesDenied)
 							if ((s.EndsWith("*") && type.FullName.StartsWith(s.Substring(0, s.Length -1), StringComparison.InvariantCultureIgnoreCase)) || s == type.FullName)
-								throw new System.Security.SecurityException("This cusomized type is not allowed as argument for this method.");
+								throw new System.Security.SecurityException("This type is not allowed as argument for this method.");
 					}
 				}
 			}

diff --git a/AjaxPro/Utilities/AjaxSettings.cs b/AjaxPro/Utilities/AjaxSettings.cs
@@ -36,6 +36,7 @@
  *					fixed Ajax token
  * MS	21-10-27	added allowed customized types for JSON deserialization
  * MS	21-10-30	added contentSecurityPolicy to specify a nonce for all scripts
+ * MS	21-11-22	changed to set the default behavior to not allow custom types
  * 
  * 
  */
@@ -133,6 +134,9 @@ internal AjaxSettings()
 
 			JsonDeserializationCustomTypesAllowed = new List<string>();
 			JsonDeserializationCustomTypesDenied = new List<string>();
+
+			// disable all custom types by default, either add allow list (or not recommended change default to 'allow')
+			IsCustomTypesDeserializationDisabled = true;
 		}
 
 		#region Public Properties
@@ -250,7 +254,7 @@ internal System.Collections.Specialized.StringDictionary ScriptReplacements
 			set{ m_ScriptReplacements = value; }
 		}
 
-		public bool IsJsonDeserializationCustomTypesDenied { get; set; }
+		public bool IsCustomTypesDeserializationDisabled { get; set; }
 
 		public List<string> JsonDeserializationCustomTypesAllowed { get; set; }
 		public List<string> JsonDeserializationCustomTypesDenied { get; set; }