diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cf0c976..44b799e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# v1.6.0 (26 January 2025) +- [#884](/~https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/884) - By default the RestrictOrderByToPropertyOrField is now set to true in the ParsingConfig [feature] contributed by [StefH](/~https://github.com/StefH) +- [#867](/~https://github.com/zzzprojects/System.Linq.Dynamic.Core/issues/867) - CVE-2024-51417: System.Linq.Dynamic.Core allows remote access to properties on reflection types and static properties/fields [bug] + # v1.6.0-preview-03 (25 January 2025) - [#876](/~https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/876) - Update and Fix SecurityTests [test] contributed by [mariusz96](/~https://github.com/mariusz96) - [#882](/~https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/882) - ExpressionParser: add 2nd ctor with an extra non-optional parameter [feature] contributed by [StefH](/~https://github.com/StefH) diff --git a/Generate-ReleaseNotes.bat b/Generate-ReleaseNotes.bat index 9e5c85c3..63dc063d 100644 --- a/Generate-ReleaseNotes.bat +++ b/Generate-ReleaseNotes.bat @@ -1,5 +1,5 @@ rem /~https://github.com/StefH/GitHubReleaseNotes -SET version=v1.6.0-preview-03 +SET version=v1.6.0 GitHubReleaseNotes --output CHANGELOG.md --exclude-labels invalid question documentation wontfix environment duplicate --language en --version %version% --token %GH_TOKEN% diff --git a/README.md b/README.md index fee30ea3..79865db4 100644 --- a/README.md +++ b/README.md @@ -49,16 +49,17 @@ public class MyCustomClass If it's not possible to add that attribute, you need to implement a custom [CustomTypeProvider](https://dynamic-linq.net/advanced-configuration#customtypeprovider) and set this to the `ParsingConfig` and provide that config to all dynamic calls. Or provide a list of addtional types in the [DefaultDynamicLinqCustomTypeProvider.cs](/~https://github.com/zzzprojects/System.Linq.Dynamic.Core/blob/master/src/System.Linq.Dynamic.Core/CustomTypeProviders/DefaultDynamicLinqCustomTypeProvider.cs). -### v1.6.0-preview-01, 02, 03 +### v1.6.0 #### Change 1 It's not allowed anymore to call any methods on the `object` type. By default also the `ToString` and `Equals` methods are not allowed. -To allow these methods set `AllowEqualsAndToStringMethodsOnObject` to `true` in the `ParsingConfig` and provide that config to all dynamic calls. This is done to mitigate the risk of calling methods on the `object` type which could lead to security issues (CVE-2024-51417). +To allow these methods set `AllowEqualsAndToStringMethodsOnObject` to `true` in the `ParsingConfig` and provide that config to all dynamic calls. #### Change 2 By default the `RestrictOrderByToPropertyOrField` is now set to `true` in the `ParsingConfig`. Which means that only properties and fields can be used in the `OrderBy` / `ThenBy`. This is done to mitigate the risk of calling methods or other expressions in the `OrderBy` / `ThenBy` which could lead to security issues. +To allow these methods set `RestrictOrderByToPropertyOrField` to `false` in the `ParsingConfig` and provide that config to all dynamic calls. --- diff --git a/version.xml b/version.xml index fe78fd59..c8f45c09 100644 --- a/version.xml +++ b/version.xml @@ -1,5 +1,5 @@ - 0-preview-03 + 0 \ No newline at end of file