Menu
The existence of AsReference option in Protobuf-net and the word that BinaryFormatter is a "graph serializer" lead me to assume that BinaryFormatter does not maintain references and that it makes a copy of every object.
But I did some tests and found out that all references in a single BinaryFormatter Serialize() or Deserialize() call are maintained even for recursive referencing.
Can I confirm that BinaryFormatter does indeed maintain references? How is this different from Protobuf-net? Seems like I understand "graph serialization" incorrectly? What else should I look out for?
Thanks in advance.
827
BinaryFormatter uses violates 2.), which is a huge security risk because it makes possible to run any code.
Stop using BinaryFormatter in your code. Instead, consider using JsonSerializer or XmlSerializer.
The class BinaryFormatter in C# performs the actions of “serialization” and “deserialization” of binary data. It takes simple data structures such as integers (int), decimal numbers (float), and collections of letters and numbers (string) and can convert them into a binary format.
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure.
tl;dr; version - BinaryFormatter always preserves references.
The fact that BinaryFormatter is a "graph serializer" is synonymous with "it preserves references", since that is required to accurately reproduce a graph. The alternative is a tree serializer (which is most of them; XmlSerializer, DataContractSerializer (without a particular option enabled), JavascriptSerializer and protobuf-net without AsReference are all tree-based). Tree serializers do not generally preserve references (unless they work some tricks, i.e. what DataContractSerializer does if you enable full-graph mode, or protobuf-net does with AsReference). Tree serializers (without voodoo enabled) tend to explode in a mess with a recursive model, which makes them easy to spot.
107
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
