Breaking Change T1246822
Visible to All Users

Firebird SQL connection provider validation now enabled

What Changed

Loading custom libraries is now prohibited. A ProviderCustomAssemblyLoadingProhibitedException is thrown if the FireBirdConnectionParameters.ClientLibrary parameter is specified. Handle the SqlDataSource.BeforeLoadProviderCustomAssembly or SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal event to load a custom library.

Reasons for Change

An arbitrary library/assembly can be loaded as a Firebird ClientLibrary within a connection string. The server can use the connection string for subsequent interactions with the database. This could lead to remote code execution (RCE). The arbitrary library can also be fetched from a remote server if a UNC path is specified.

Impact on Existing Apps

This change affects applications that connect to the Firebird database server with the specified FireBirdConnectionParameters.ClientLibrary parameter.

How to Update Existing Apps

Follow the steps below to update an existing application:

  1. Subscribe to the SqlDataSource.BeforeLoadProviderCustomAssembly or SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal event.
  2. Validate the path to the custom client library. Make certain the library is loaded from a safe/trusted location.
  3. If validation is successful, set the e.AllowLoading event parameter to true:
C#
SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal += (sender, args) => { if(args.AssemblyPath.StartsWith("c:\\")) args.AllowLoading = true; };
Visual Basic
AddHandler SqlDataSource.BeforeLoadProviderCustomAssemblyGlobal, Sub(sender, args) If args.AssemblyPath.StartsWith("c:\") Then args.AllowLoading = True End If End Sub

How to Revert to Previous Behavior

The previous behavior is no longer available (for security-related reasons).

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.