July 25, 2020 - There's bugs in them releases

Last Week in .NET - Week Ending 25 July 2020

More on CVE-2020-1147

Do you deserialize XML to a DataSet? This is about CVE-2020-1147. 

More details on CVE-2020-1147 -- that Remote Code Execution Vulnerability for .NET Core. Turns out it has to do with deserializing XML into a DataSet. If this is something you do; stop reading and go patch your application to .NET Core to 3.1.6, .NET Core 2.1.20; and .NET 5 Preview 7. Make sure to update the SDK running on your developer machines as well. There's a bit more information than I was able to get last week. 

Special Thanks (again) to @vcsjones on twitter. 

Microsoft talks about Windows 10X

Apparently in Windows 10X, Win32 applications will be virtualized and served "over the cloud". OK. This is both interesting, frightens the hell out of me, and makes me wonder at what point we lose control of our Operating Systems completely. 

.NET 5 Preview 7 has been released

This includes changes to the runtime, SDK, ASP.NET Core, and Entity Framework Core. 

For the Runtime, there's a lingering bug with Regex that you can fix by removing RegexCompiled, you know, what keeps regex's fast. Anyway, if you're running .NET 5 Preview 7 in production, that's something to be aware of. 

For ASP.NET Core, there are cookie and blazor bugs fixed, and there's also a blog post out about Preview 7 that talks about the blazor improvements especially. Blazor is getting a lot of attention from Microsoft, and this is great, especially since there are thousands of applications that are in Web Forms that have no upgrade path at all to .NET 5. How does Blazor help here, you ask? Well, it at least gives political cover to the idea that it's possible, but if you read the documentation around converting an ASP.NET Webforms application to blazor, you'll notice it's currently... incomplete. Incomplete here means that there is currently no migration path for built in Webforms controls. 

Without Microsoft providing some sort of conversion system for WebForms, organizations will be forced to rewrite their WebForms applications anyway; and Microsoft is hoping they'll choose Blazor. 

I may have blown the spoiler; but Blazor is now a part of .NET 5. There's more work to do, but this is a great start. 

There's a lot of fixes in Entity Framework Core 5.0.0 Preview 7., too numerous to list here. If you use EF Core, you may want to pay attention. 

.NET Framework (Not Core, or 5) July 2020 Cumulative Update Preview is released

This preview fixes several bugs uncovered in .NET Framework 4.8 including a memory leak in HttpListener, and a bug in SqlBulkCopy that would cause writes to fail, there are fixes in WCF, WPF, and Windows Forms, and Accessibility Improvements in Windows Forms. 

A 'replacement' for SecureString is being bandied about for .NET 6:

SecureString, the oft-maligned and probably most misused class in .NET, is getting its hair re-done as "ShroudedBuffer" as a part of .NET 6. The name change and API change is to help reiterate that this string isn't a "SecurityFeature", rather it's a signal that if you're trying to log stuff; YOU SHOULDN'T LOG THIS. 

I'm not sold on the name; but naming is hard. My personal list contains candidates such as OpaqueString, or "Dont^%&DFingLogThisString" or "SensitiveBuffer", or ClassifiedBuffer, or ConfidentialString". 

EFCore now supports Many-To-Many relationships

I didn't know it didn't; and I feel bad for everyone that now has to either 1) maintain the workarounds they used to get that support before, or 2) retrofit this approach into their code. You can read more about Many-to-Many support here. No word on when this lands in a release, but it'll either be in .NET 5 Preview 8 or .NET 5 RC 1. 

Bug in .NET Core 3.1 causes SkipLast and TakeLast to return the wrong value:

What happens when you add highly performant code that has bugs? You get fast bugs. If you use SkipLast and TakeLast in .NET Core 3.1, there's a good chance you'll encounter this bug if your source collection you're operating on is a List; which of course is just about everyone. 

.NET Foundation Elections Board happening Now

The .NET Foundation Board elections are happening right now. If you're a member of the .NET Foundation, GO VOTE. If you're not a member, you should be. Go join up, then go vote. 

If you want to hear from the candidates themselves, the .NET Foundation held interviews with board candidates; they're worth your time. 

Stack Overflow elections are over, two new moderators elected

Stack Overflow just wrapped up their moderator elections, and despite a dismal number of moderator candidates, there were two new moderators elected. Please welcome Makyen and Machavity

PFCLotW (Pretty Fricking Cool Library of the Week)

Do you write distributed applications? First off, I'm sorry. Second, have you thought about using Akka.NET? Distributed applications are hard, and without a framework to help you along, you're going to be spending a lot of time working around the fact that your application is, in fact, distributed. This is not a sponsored ad, and I hope to never make another distributed application; but if I did, I'd give Akka.NET a serious look. 

And that's what happened Last Week in .NET. 

I'm George Stocker, and I teach TDD to .NET teams. This isn't your grandfather's TDD, no. It's actually meant to be used in large applications without use of Mocks or stubs, and without the inherent pain ...