Remove BinaryFormatter usage from SettingsPropertyValue

[GrabYourPitchforks]

Ref:

runtime/src/libraries/System.Configuration.ConfigurationManager/src/System/Configuration/SettingsPropertyValue.cs

Lines 99 to 102 in af828ae

	using (MemoryStream ms = new MemoryStream((byte[])SerializedValue))
	{
	value = (new BinaryFormatter()).Deserialize(ms);
	}

runtime/src/libraries/System.Configuration.ConfigurationManager/src/System/Configuration/SettingsPropertyValue.cs

Lines 196 to 199 in af828ae

	using (MemoryStream ms = new MemoryStream(buffer))
	{
	return (new BinaryFormatter()).Deserialize(ms);
	}

runtime/src/libraries/System.Configuration.ConfigurationManager/src/System/Configuration/SettingsPropertyValue.cs

Lines 222 to 227 in af828ae

	using (MemoryStream ms = new MemoryStream())
	{
	BinaryFormatter bf = new BinaryFormatter();
	bf.Serialize(ms, _value);
	return ms.ToArray();
	}

This issue tracks the removal and replacement of this code per the BinaryFormatter obsoletion plan.

For context: Reading from local configuration is generally perceived to be a "safe" operation. However, we have seen cases where the config APIs are used in multi-tenant environments, reading values from arbitrary XML files. The same thing hit ResourceReader a few years back. A popular web service allowed non-admins to upload .resx files, and when the web service tried parsing it it allowed RCE within the context of the service.

Tagging subscribers to this area: @safern
Notify danmosemsft if you want to be subscribed.

[pgovind]

I think this is a fairly easy library to turn off binary formatter support. Here's my proposal:

There already exists a SettingsSerializeAs.Xml enum. So, let's mark SettingsSerializeAs.Binary as Obsolete for .NET 6. Further, I want to throw an exception when SettingsSerializeAs.Binary is used unless EnableUnsafeBinaryFormatterSerialization is set in the csproj.

@GrabYourPitchforks, @ericstj, area-owners, thoughts?