Firebird SQL connection provider validation now enabled

What Changed

Loading custom libraries is now prohibited. A ProviderCustomAssemblyLoadingProhibitedException is thrown if the FireBirdConnectionParameters.ClientLibrary parameter is specified. Handle the SqlDataSource.BeforeLoadProviderCustomAssembly or SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal event to load a custom library.

Reasons for Change

An arbitrary library/assembly can be loaded as a Firebird ClientLibrary within a connection string. The server can use the connection string for subsequent interactions with the database. This could lead to remote code execution (RCE). The arbitrary library can also be fetched from a remote server if a UNC path is specified.

Impact on Existing Apps

This change affects applications that connect to the Firebird database server with the specified FireBirdConnectionParameters.ClientLibrary parameter.

How to Update Existing Apps

Follow the steps below to update an existing application:

Subscribe to the SqlDataSource.BeforeLoadProviderCustomAssembly or SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal event.
Validate the path to the custom client library. Make certain the library is loaded from a safe/trusted location.
If validation is successful, set the e.AllowLoading event parameter to true:

C#
SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal += (sender, args) => {
         if(args.AssemblyPath.StartsWith("c:\\"))
         args.AllowLoading = true;
};

Visual Basic
AddHandler SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal, Sub(sender, args)
         If args.AssemblyPath.StartsWith("c:\") Then
         args.AllowLoading = True
         End If
End Sub

How to Revert to Previous Behavior

The previous behavior is no longer available (for security-related reasons).

DevExpress Support Team

last modified 7 months ago

Modified: August 14, 2024 7:57 AM

Platform: WPF Business Intelligence WinForms Reporting

Product: Dashboard for WinForms Dashboard for WPF Dashboard for JavaScript Dashboard for MVC Dashboard for React Reporting for ASP.NET Core Reporting for Blazor Dashboard for Angular Reporting for Angular Dashboard for Blazor Reporting for MVC Reporting for WPF Dashboard for ASP.NET Core Reporting for WinForms Reporting for Web Forms Reporting for Vue Reporting for React Report and Dashboard Server Dashboard for Web Forms Dashboard for Vue

Change Type: API Change

Build: 24.1.5 23.1.12 23.2.8 22.2.13 24.2.1 / Disabled

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.