-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTest.cs
More file actions
51 lines (41 loc) · 1.69 KB
/
Test.cs
File metadata and controls
51 lines (41 loc) · 1.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
using System;
using System.Web;
using System.Web.Mvc;
using System.Xml;
public class XMLHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
// BAD: XmlTextReader is insecure with these options, using user-provided data
XmlTextReader reader = new XmlTextReader(ctx.Request.QueryString["document"]) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() };
}
public void insecureXMLBad(string content)
{
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Parse;
settings.XmlResolver = new XmlUrlResolver();
// BAD: insecure settings
XmlReader reader1 = XmlReader.Create(content, settings);
// BAD: XmlTextReader is insecure with these options
XmlTextReader reader2 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() };
}
public void insecureXMLGood(string content)
{
// GOOD: XmlDocument is secure after 4.6
XmlDocument doc = new XmlDocument();
doc.LoadXml(content);
// GOOD: XmlTextReader is secure by default after 4.5.2
XmlTextReader reader = new XmlTextReader(content);
// GOOD: prohibit DTD processing
XmlTextReader reader1 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Prohibit };
// GOOD: set resolver to null
XmlTextReader reader2 = new XmlTextReader(content) { XmlResolver = null };
// GOOD: set resolver to null
XmlDocument doc2 = new XmlDocument() { XmlResolver = null };
doc2.LoadXml(content);
}
public bool IsReusable
{
get => true;
}
}