Use JsonSerializer instead of insecure BinaryFormatter in TransferDat…

…aSource.
mono · Feb 16, 2023 · 327e01e · 327e01e
1 parent 7b48e86
commit 327e01e
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 22 deletions.
diff --git a/Xwt.Gtk/Xwt.GtkBackend/Util.cs b/Xwt.Gtk/Xwt.GtkBackend/Util.cs
@@ -79,7 +79,7 @@ public static void SetSelectionData (Gtk.SelectionData data, string atomType, ob
 				data.SetUris(new string[] { ((Uri)val).AbsolutePath });
 			else {
 				var at = Gdk.Atom.Intern (atomType, false);
-				data.Set (at, 0, TransferDataSource.SerializeValue (val));
+				data.Set (at, 0, TransferDataSource.SerializeValue (val, val.GetType()));
 			}
 		}
 

diff --git a/Xwt.WPF/Xwt.WPFBackend/DataConverter.cs b/Xwt.WPF/Xwt.WPFBackend/DataConverter.cs
@@ -373,7 +373,7 @@ public static DataObject ToDataObject (this TransferDataSource data)
 					uris.Add (((Uri)value).LocalPath);
 					retval.SetFileDropList (uris);
 				} else
-					retval.SetData (type.Id, TransferDataSource.SerializeValue (value));
+					retval.SetData (type.Id, TransferDataSource.SerializeValue (value, value.GetType()));
 			}
 
 			return retval;

diff --git a/Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs b/Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs
@@ -80,7 +80,7 @@ public override object GetData (TransferDataType type)
 				var bytes = new byte [data.Length];
 				using (var stream = new UnmanagedMemoryStream ((byte*)data.Bytes, bytes.Length))
 					stream.Read (bytes, 0, bytes.Length);
-				return TransferDataSource.DeserializeValue (bytes);
+				return TransferDataSource.DeserializeValue (bytes, Type.GetType (type.Id));
 			}
 		}
 
@@ -121,7 +121,7 @@ public void ProvideData (NSPasteboard pboard, NSString type)
 			else if (obj is string)
 				data = NSData.FromString ((string)obj);
 			else
-				data = NSData.FromArray (TransferDataSource.SerializeValue (obj));
+				data = NSData.FromArray (TransferDataSource.SerializeValue (obj, obj.GetType()));
 			pboard.SetDataForType (data, type);
 		}
 	}

diff --git a/Xwt.XamMac/Xwt.Mac/ViewBackend.cs b/Xwt.XamMac/Xwt.Mac/ViewBackend.cs
@@ -968,7 +968,7 @@ public void ProvideDataForType (NSPasteboard pasteboard, NSPasteboardItem item,
 					else {
 						// For internal types, provided serialized data
 						object value = dataSource.GetValue(transferDataType);
-						NSData serializedData = NSData.FromArray(TransferDataSource.SerializeValue(value));
+						NSData serializedData = NSData.FromArray(TransferDataSource.SerializeValue(value, value.GetType()));
 						pasteboard.SetDataForType(serializedData, type);
 					}
 				}

diff --git a/Xwt/Xwt.Backends/TransferDataStore.cs b/Xwt/Xwt.Backends/TransferDataStore.cs
@@ -78,7 +78,7 @@ public void AddValue (TransferDataType type, byte[] value)
 		{
 			Type t = Type.GetType (type.Id);
 			if (t != null)
-				data [type] = TransferDataSource.DeserializeValue (value);
+				data [type] = TransferDataSource.DeserializeValue (value, t);
 			else
 				data [type] = value;
 		}
@@ -119,7 +119,7 @@ T ITransferData.GetValue<T> ()
 			if (ob == null || ob.GetType () == typeof(Type))
 				return (T) ob;
 			if (ob is byte[]) {
-				T val = (T) TransferDataSource.DeserializeValue ((byte[])ob);
+				T val = (T) TransferDataSource.DeserializeValue ((byte[])ob, typeof(T));
 				data[TransferDataType.FromType (typeof(T))] = val;
 				return val;
 			}

diff --git a/Xwt/Xwt.csproj b/Xwt/Xwt.csproj
@@ -34,6 +34,9 @@ The framework consists of the frontend (Xwt core) and platform specific backends
     <None Include="..\LICENSE.txt" Pack="true" PackagePath="" />
     <None Include="..\README.markdown" Pack="true" PackagePath="" />
   </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" Version="7.0.2" />
+  </ItemGroup>
   <ProjectExtensions>
     <MonoDevelop>
       <Properties>

diff --git a/Xwt/Xwt/TransferDataSource.cs b/Xwt/Xwt/TransferDataSource.cs
@@ -31,7 +31,7 @@
 using System.Runtime.Serialization.Formatters.Binary;
 using Xwt.Drawing;
 using Xwt.Backends;
-
+using System.Text.Json;
 
 namespace Xwt
 {
@@ -138,32 +138,25 @@ public object GetValue (TransferDataType type)
 			}
 			return null;
 		}
-		
+
 		/// <summary>
-		/// Serializes a value to a byte array using <see cref="System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"/> .
+		/// Serializes a value to a byte array using <see cref="System.Text.Json.JsonSerializer"/> .
 		/// </summary>
 		/// <returns>The serialized value.</returns>
 		/// <param name="val">The value to serialize.</param>
-		public static byte[] SerializeValue (object val)
+		public static byte[] SerializeValue (object val, Type type)
 		{
-			using (MemoryStream ms = new MemoryStream ()) {
-				BinaryFormatter bf = new BinaryFormatter ();
-				bf.Serialize (ms, val);
-				return ms.ToArray ();
-			}
+			return JsonSerializer.SerializeToUtf8Bytes (val, type);
 		}
 
 		/// <summary>
 		/// Deserializes a value from a byte array.
 		/// </summary>
 		/// <returns>The deserialized value.</returns>
-		/// <param name="data">The byte array containing the serialized value.</param>
-		public static object DeserializeValue (byte[] data)
+		/// <param name="data">The byte array containing the Utf8 Json serialized value.</param>
+		public static object DeserializeValue (byte[] data, Type type)
 		{
-			using (MemoryStream ms = new MemoryStream (data)) {
-				BinaryFormatter bf = new BinaryFormatter ();
-				return bf.Deserialize (ms);
-			}
+			return JsonSerializer.Deserialize (data, type);
 		}
 	}