What Changed
Loading custom libraries is now prohibited. A ProviderCustomAssemblyLoadingProhibitedException
is thrown if the FireBirdConnectionParameters.ClientLibrary parameter is specified. Handle the SqlDataSource.BeforeLoadProviderCustomAssembly
or SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal
event to load a custom library.
Reasons for Change
An arbitrary library/assembly can be loaded as a Firebird ClientLibrary
within a connection string. The server can use the connection string for subsequent interactions with the database. This could lead to remote code execution (RCE). The arbitrary library can also be fetched from a remote server if a UNC path is specified.
Impact on Existing Apps
This change affects applications that connect to the Firebird database server with the specified FireBirdConnectionParameters.ClientLibrary parameter.
How to Update Existing Apps
Follow the steps below to update an existing application:
- Subscribe to the
SqlDataSource.BeforeLoadProviderCustomAssembly
orSqlDataSource.BeforeLoadProviderCustomAssemblyGlobal
event. - Validate the path to the custom client library. Make certain the library is loaded from a safe/trusted location.
- If validation is successful, set the
e.AllowLoading
event parameter totrue
:
C#SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal += (sender, args) => {
if(args.AssemblyPath.StartsWith("c:\\"))
args.AllowLoading = true;
};
Visual BasicAddHandler SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal, Sub(sender, args)
If args.AssemblyPath.StartsWith("c:\") Then
args.AllowLoading = True
End If
End Sub
How to Revert to Previous Behavior
The previous behavior is no longer available (for security-related reasons).