ASP.NET MVC security patch to version 3.0.0.1 breaks build [duplicate]

Solution 1:

I fixed this by:

  • Removing the MVC reference and add the correct reference to the project.
  • Changing the Copy Local property of the reference to true.
  • Update the bindingRedirect setting in web.config:

web.config runtime section:

<runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <dependentAssembly>
            <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.1" />
        </dependentAssembly>
    ...

Changing the Copy Local setting will include the System.Web.MVC.dll file in the bin folder when you publish the project, so that it works even if the server is not updated with the new version.

Note that updates like this rarely happens. This is the first time that MVC 3 has been patched since it was released. You should be able to change Copy Local back to false once the servers has been updated. The next time Microsoft makes an update like this, they will probably know to fix issues like this first.

Solution 2:

I installed Microsoft.AspNet.Mvc package in my project using Nuget.

Install-Package Microsoft.AspNet.Mvc -Version <version> -Project PROJECTNAME 

MVC 4 version: 4.0.40804.0

MVC 3 version: 3.0.50813.1

This fixed the problem. Details here: http://blogs.msdn.com/b/webdev/archive/2014/10/16/microsoft-asp-net-mvc-security-update-broke-my-build.aspx

Solution 3:

Your production system should be fine as the hotfix delivers a config file (System.Web.Mvc.dll.config) into the following folder:

%SystemRoot%\assembly\GAC_MSIL\policy.3.0.System.Web.Mvc\3.0.0.1__31bf3856ad364e35

The config file contains an assembly redirect to the new version, this will override anything you have in your web.config:

<?xml version="1.0"?>
<!-- http://msdn.microsoft.com/en-us/library/7wd6ex19.aspx#BKMK_Redirectingassemblyversionsbyusingpublisherpolicy -->
<configuration>
    <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" culture="neutral" />
                <bindingRedirect oldVersion="3.0.0.0-3.0.0.1" newVersion="3.0.0.1"/>
            </dependentAssembly>
        </assemblyBinding>
    </runtime>
</configuration>

Follow the advice by @Guffa for your build system, or use nuget to update. I believe the solution which works depends on how you deliver the MVC binaries to your system (either bin deploy or GAC).