NET MVC 安全补丁到版本3.0.0.1中断构建

在安装了 ASP.NET MVC 3安全更新 KB2990942之后,MVC 版本似乎从 3.0.0.0增加到了 3.0.0.1。这将导致 VisualStudio 不再找到引用。

<Reference Include="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />

Resharper 没有显示任何问题,但是构建失败了,有很多未解决的 MVC 类型和一个警告:

警告 : 无法解析此引用。无法找到 汇编“ System.Web.Mvc,Version = 3.0.0.0.0,Culture = Central, PublicKeyToken = 31bf3856ad364e35,processorArchitecture = MSIL” 确保该程序集存在于磁盘上。如果需要此引用,请 通过您的代码,您可能会得到编译错误。

这就说得通了,这个版本在我的机器上已经不存在了。

我不能保证确切的 MVC 版本在开发机器上,建立服务器和生产服务器。他们可能有 3.0.0.03.0.0.1,这可能随时改变。WindowsUpdate 可能随时发布新的 MVC 版本。另外,我不想增加所有 * 的版本号。每当发布 MVC 更新时,都会有 csproj 文件。

更新会影响多个版本:

安全公告: MS14-059: ASP.NET MVC 中的漏洞可能允许安全特性旁路(2990942)

处理这种情况的最好方法是什么?我怎样才能不中断建设和生产,并对未来的 MVC 更新是安全的?

47401 次浏览
小开

I fixed this by:

  • Removing the MVC reference and add the correct reference to the project.
  • Changing the Copy Local property of the reference to true.
  • Update the bindingRedirect setting in web.config:

web.config runtime section:

<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.1" />
</dependentAssembly>
...

Changing the Copy Local setting will include the System.Web.MVC.dll file in the bin folder when you publish the project, so that it works even if the server is not updated with the new version.

Note that updates like this rarely happens. This is the first time that MVC 3 has been patched since it was released. You should be able to change Copy Local back to false once the servers has been updated. The next time Microsoft makes an update like this, they will probably know to fix issues like this first.

小开

Your production system should be fine as the hotfix delivers a config file (System.Web.Mvc.dll.config) into the following folder:

%SystemRoot%\assembly\GAC_MSIL\policy.3.0.System.Web.Mvc\3.0.0.1__31bf3856ad364e35

The config file contains an assembly redirect to the new version, this will override anything you have in your web.config:

<?xml version="1.0"?>
<!-- http://msdn.microsoft.com/en-us/library/7wd6ex19.aspx#BKMK_Redirectingassemblyversionsbyusingpublisherpolicy -->
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="3.0.0.0-3.0.0.1" newVersion="3.0.0.1"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>

Follow the advice by @Guffa for your build system, or use nuget to update. I believe the solution which works depends on how you deliver the MVC binaries to your system (either bin deploy or GAC).

小开

I installed Microsoft.AspNet.Mvc package in my project using Nuget.

Install-Package Microsoft.AspNet.Mvc -Version <version> -Project PROJECTNAME


MVC 4 version: 4.0.40804.0


MVC 3 version: 3.0.50813.1

This fixed the problem. Details here: http://blogs.msdn.com/b/webdev/archive/2014/10/16/microsoft-asp-net-mvc-security-update-broke-my-build.aspx

小开

What worked in my case was to change the Reference element in project file so Version=3.0.0.0 is now Version=3.0.0.1. I also updated the System.Web.Mvc.dll file sitting in _bin_deployableAssemblies folder to the new version and added a HintPath element in the Reference element pointing to said dll so it's picked up even when in GAC we still have version 3.0.0.0.

The tricky part is to not forget to update reference in all projects referencing System.Web.Mvc (e.g. including test project).


提交答案