0

In a C# .Net application, is BinaryFormatter used to deserialize resource image data embedded in the application via .resx files and Resource Explorer?

I've been handed a .Net application and the task of eliminating the use of BinaryFormatter due to the security concerns inherent to BinaryFormatter. The original author used Visual Studio Resource Explorer to create .resx files and to embed bitmap image data (images for the GUI, etc..) into a library (dll), and that dll gets linked into the final application, a stand alone exe.

Inside the .resx file, the images are embedded like this:

  <data name="MyImage" type="System.Resources.ResXFileRef, System.Windows.Forms">
    <value>..\images\MyImage.png;System.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=1234567890ABCEF0</value>
  </data>

Inside the auto-generated ResourcesDesigner.cs file, the images are extracted like this:

public static System.Drawing.Bitmap Captured {
    get {
        object obj = ResourceManager.GetObject("MyImage", resourceCulture);
        return ((System.Drawing.Bitmap)(obj));
    }
}

Looking at the compiler output, this .resx file gets converted to a .resources file by CoreResGen, then that .resources file is embedded in the dll, which must be embedded in the exe because the exe is all by itself. My understanding is BinaryFormatter is not used when extracting this embedded resources data from the exe at runtime. Can anyone confirm that this is correct or not?

Improve this question
8
  • 2
    Can anyone confirm that this is correct or not?: Yes. You can. View the source code to find the information you're interested in. Reference Source and dotnet source code. Commented Feb 11 at 4:24
  • If you are talking about a WinForms application, see learn.microsoft.com/en-us/dotnet/standard/serialization/… Commented Feb 11 at 9:13
  • If a type has a TypeConverter that is able to convert the corresponding type to string or byte[], then ResourceManager (well, in fact ResXDataNode under the hood) uses the type converter rather than a formatter. For Bitmap instances the parent Image class specifies the ImageConverter class that can convert to and from byte[]. Commented Feb 11 at 13:15
  • It looks like @MatthewWatson's comment is the answer your are looking for. He should consider writing it up as an answer (fleshed out a bit, so it's not just a link only answer Commented Feb 11 at 22:47
  • Thanks all for the comments. From what I can tell, in .Net 8+, BinaryFormatter is not used when extracting resources that are embedded in the binary. But with .Net Framework 4.8.1, BinaryFormatter may still be used. I have to build for both .Net 8 and .Net Framework 4.8.1, so I'm now trying to figure out how to detect when BinaryFormatter is used, and if it's possible to throw an exception if/when it's used in the .Net Framework build. Or better yet, how to exclude it entirely. Commented Feb 13 at 22:15

1 Answer 1

Reset to default
0

After much research, this is my understanding.

In the case of .Net 9, BinaryFormatter is completely removed by default. Trying to use it will cause an error.

In the case of .Net 8 and .Net Framework 4.8.1: the compiler uses the info in the .resx file to create a binary .resources file. Those binary .resources files are embedded in the executable at compile time. When using the attribute System.Resources.ResXFileRef for the image files in the .resx files, a TypeConverter is used to create the binary .resources file. And since the image data embedded in the executable is already in binary format, BinaryFormatter is not used to extract it at runtime.

In summary, in my case above BinaryFormatter is not used for .Net Framework or .Net 8+. (I'm compiling the same code for both, to meet customer demands)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.