///
///
Xml serialized as a string
118 Hacking Exposed Web 2.0
///
Loaded XmlDocument objectpublic XmlDocument InsecureXmlStringLoad(string serializedXml)
{
XmlDocument xmlDocument = new XmlDocument();
//Behind the scenes, .Net creates an insecure XmlTextReader
xmlDocument.LoadXml(serializedXml);
return xmlDocument;
}
If this code was contained within an application server and was handling attackersupplied
data, an attacker could easily force the application server to become unavailable.
Starting with the .Net Framework 2.0, the System.Xml namespace contains an
XmlReader class that disables processing of Document Type Definitions (DTDs) by
default. Using this class when loading XML into a XmlDocument can be significantly
safer.
Con?¬? gure XML Loading Classes
to Load XML Securely
Following are secure examples of creating an XmlDocument from a file or a string. Note
that the ProhibitDtd setting is set to True even though True is the default value with
the XmlReader class. Setting this value explicitly is important in case Microsoft ever
decides to change the defaults in future versions of the .
Pages:
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233