Menu
I am using BinaryFormatter to serialize an array of class instances to a file. I can deserialize this fine within the same application. When I try the same deserialization in a different application (that pulls in a common file that does the work) then I get the following error:
{"Could not load file or assembly 'pmlscan, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The module was expected to contain an assembly manifest."}
where pmlscan is the name of the original application. How do I get BinaryFormatter to not try and load pmlscan?
335
Recommended action. Stop using BinaryFormatter in your code. Instead, consider using JsonSerializer or XmlSerializer.
To make binary serialization safe two things are required: 1.) the currently loaded types cannot be exploited for attacks, and 2.) it should not be allowed to load assemblies during the deserialization. BinaryFormatter uses violates 2.), which is a huge security risk because it makes possible to run any code.
Serialization is the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed. The reverse process is called deserialization.
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure.
You can achieve it by using custom SerializationBinder. See here: Advanced Binary Serialization: Deserializing an Object Into a Different Type Than the One It was Serialized Into
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
