Show Notes
Last Week in .NET - Week Ending 25 July 2020
More on CVE-2020-1147
Do you deserialize XML to a DataSet? This is about
CVE-2020-1147.
More details on CVE-2020-1147 -- that Remote Code Execution Vulnerability for .NET Core. Turns out it has to do with deserializing XML into a DataSet. If this is something you do; stop reading and go patch your application to .NET Core to 3.1.6, .NET Core 2.1.20; and .NET 5 Preview 7. Make sure to update the SDK running on your developer machines as well.
There's a bit more information than I was able to get last week.
Special Thanks (again) to
@vcsjones on twitter.
Microsoft talks about Windows 10X
Apparently in Windows 10X, Win32 applications
will be virtualized and served "over the cloud". OK. This is both interesting, frightens the hell out of me, and makes me wonder at what point we lose control of our Operating Systems completely.
.NET 5 Preview 7 has been released
For the Runtime, there's a lingering bug with Regex that you can fix by removing RegexCompiled, you know, what keeps regex's fast. Anyway, if you're running .NET 5 Preview 7 in production,
that's something to be aware of.
For ASP.NET Core,
there are cookie and blazor bugs fixed, and there's also a blog post out about Preview 7 that talks about
the blazor improvements especially. Blazor is getting a lot of attention from Microsoft, and this is great, especially since there are thousands of applications that are in Web Forms that have
no upgrade path at all to .NET 5. How does Blazor help here, you ask? Well, it at least gives political cover to the idea that it's possible, but if you read the documentation around converting an ASP.NET Webforms application to blazor, you'll notice it's currently... incomplete. Incomplete here means that there is currently no migration path
for built in Webforms controls.
Without Microsoft providing some sort of conversion system for WebForms, organizations will be forced to rewrite their WebForms applications anyway; and Microsoft is hoping they'll choose Blazor.
.NET Framework (Not Core, or 5) July 2020 Cumulative Update Preview is released
A 'replacement' for SecureString is being bandied about for .NET 6:
SecureString, the oft-maligned and probably most misused class in .NET, is getting its
hair re-done as "ShroudedBuffer" as a part of .NET 6. The name change and API change is to help reiterate that this string isn't a "SecurityFeature", rather it's a signal that if you're trying to log stuff; YOU SHOULDN'T LOG THIS.
I'm not sold on the name; but naming is hard. My personal list contains candidates such as OpaqueString, or "Dont^%&DFingLogThisString" or "SensitiveBuffer", or ClassifiedBuffer, or ConfidentialString".
EFCore now supports Many-To-Many relationships
I didn't know it didn't; and I feel bad for everyone that now has to either 1) maintain the workarounds they used to get that support before, or 2) retrofit this approach into their code. You can read more about
Many-to-Many support here. No word on when this lands in a release, but it'll either be in .NET 5 Preview 8 or .NET 5 RC 1.
Bug in .NET Core 3.1 causes SkipLast and TakeLast to return the wrong value:
.NET Foundation Elections Board happening Now
The .NET Foundation Board elections are happening right now. If you're a member of the .NET Foundation,
GO VOTE. If you're not a member, you should be. Go join up, then go vote.
Stack Overflow elections are over, two new moderators elected
PFCLotW (Pretty Fricking Cool Library of the Week)
Do you write distributed applications? First off, I'm sorry. Second, have you thought about using
Akka.NET? Distributed applications are hard, and without a framework to help you along, you're going to be spending a lot of time working around the fact that your application is, in fact, distributed. This is not a sponsored ad, and I hope to never make another distributed application; but if I did, I'd give Akka.NET a serious look.
And that's what happened Last Week in .NET.
I'm George Stocker, and I teach TDD to .NET teams. This isn't your grandfather's TDD, no. It's actually meant to be used in large applications without use of Mocks or stubs, and without the inherent pain that goes along with mock and stubs. But you don't care about that. You just want to go home at 5pm and sleep soundly knowing your application won't have any strange middle of the night bugs. If your team wants to go home at 5pm and not need pizza parties for releases, visit
www.doubleyourproductivity.io and reach out.