You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/code-quality/ca3075-insecure-dtd-processing.md
+8-8Lines changed: 8 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -30,25 +30,25 @@ A *Document Type Definition (DTD)* is one of two ways an XML parser can determin
30
30
31
31
- The <xref:System.Xml.XmlNode.InnerXml%2A> property in the XML is set.
32
32
33
-
-<xref:System.Xml.XmlReaderSettings.DtdProcessing%2A> property is set to Parse.
33
+
-<xref:System.Xml.XmlReaderSettings.DtdProcessing%2A> property is set to Parse.
34
34
35
-
- Untrusted input is processed using <xref:System.Xml.XmlResolver> instead of <xref:System.Xml.XmlSecureResolver>.
35
+
- Untrusted input is processed using <xref:System.Xml.XmlResolver> instead of <xref:System.Xml.XmlSecureResolver>.
36
36
37
-
- The XmlReader.<xref:System.Xml.XmlReader.Create%2A> method is invoked with an insecure <xref:System.Xml.XmlReaderSettings> instance or no instance at all.
37
+
- The <xref:System.Xml.XmlReader.Create%2A?displayProperty=nameWithType> method is invoked with an insecure <xref:System.Xml.XmlReaderSettings> instance or no instance at all.
38
38
39
-
-<xref:System.Xml.XmlReader> is created with insecure default settings or values.
39
+
-<xref:System.Xml.XmlReader> is created with insecure default settings or values.
40
40
41
41
In each of these cases, the outcome is the same: the contents from either the file system or network shares from the machine where the XML is processed will be exposed to the attacker, which may then be used as a DoS vector.
42
42
43
43
## How to fix violations
44
44
45
-
- Catch and process all XmlTextReader exceptions properly to avoid path information disclosure.
45
+
- Catch and process all XmlTextReader exceptions properly to avoid path information disclosure.
46
46
47
47
- Use the <xref:System.Xml.XmlSecureResolver> to restrict the resources that the XmlTextReader can access.
48
48
49
49
- Do not allow the <xref:System.Xml.XmlReader> to open any external resources by setting the <xref:System.Xml.XmlResolver> property to **null**.
50
50
51
-
- Ensure that the <xref:System.Data.DataViewManager.DataViewSettingCollectionString%2A> property of <xref:System.Data.DataViewManager> is assigned from a trusted source.
51
+
- Ensure that the <xref:System.Data.DataViewManager.DataViewSettingCollectionString%2A?displayProperty=nameWithType> property is assigned from a trusted source.
52
52
53
53
**.NET 3.5 and earlier**
54
54
@@ -58,7 +58,7 @@ In each of these cases, the outcome is the same: the contents from either the fi
58
58
59
59
**.NET 4 and later**
60
60
61
-
- Avoid enabling DtdProcessing if you're dealing with untrusted sources by setting the <xref:System.Xml.XmlReaderSettings.DtdProcessing%2A?displayProperty=nameWithType>property to **Prohibit** or **Ignore**.
61
+
- Avoid enabling DtdProcessing if you're dealing with untrusted sources by setting the <xref:System.Xml.XmlReaderSettings.DtdProcessing%2A?displayProperty=nameWithType> property to **Prohibit** or **Ignore**.
62
62
63
63
- Ensure that the Load() method takes an XmlReader instance in all InnerXml cases.
0 commit comments