ASP.NET MVC security patch to version 3.0.0.1 breaks build [duplicate]
Solution 1:
I fixed this by:
- Removing the MVC reference and add the correct reference to the project.
- Changing the
Copy Local
property of the reference totrue
. - Update the
bindingRedirect
setting inweb.config
:
web.config runtime
section:
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.1" />
</dependentAssembly>
...
Changing the Copy Local
setting will include the System.Web.MVC.dll
file in the bin
folder when you publish the project, so that it works even if the server is not updated with the new version.
Note that updates like this rarely happens. This is the first time that MVC 3 has been patched since it was released. You should be able to change Copy Local
back to false
once the servers has been updated. The next time Microsoft makes an update like this, they will probably know to fix issues like this first.
Solution 2:
I installed Microsoft.AspNet.Mvc package in my project using Nuget.
Install-Package Microsoft.AspNet.Mvc -Version <version> -Project PROJECTNAME
MVC 4 version: 4.0.40804.0
MVC 3 version: 3.0.50813.1
This fixed the problem. Details here: http://blogs.msdn.com/b/webdev/archive/2014/10/16/microsoft-asp-net-mvc-security-update-broke-my-build.aspx
Solution 3:
Your production system should be fine as the hotfix delivers a config file (System.Web.Mvc.dll.config) into the following folder:
%SystemRoot%\assembly\GAC_MSIL\policy.3.0.System.Web.Mvc\3.0.0.1__31bf3856ad364e35
The config file contains an assembly redirect to the new version, this will override anything you have in your web.config:
<?xml version="1.0"?>
<!-- http://msdn.microsoft.com/en-us/library/7wd6ex19.aspx#BKMK_Redirectingassemblyversionsbyusingpublisherpolicy -->
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="3.0.0.0-3.0.0.1" newVersion="3.0.0.1"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>
Follow the advice by @Guffa for your build system, or use nuget to update. I believe the solution which works depends on how you deliver the MVC binaries to your system (either bin deploy or GAC).