XmlConfigurator: do longer allow dtd processing across all platforms (LOG4NET-575)
This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could use this as an attack vector if he could modify the XML configuration file. Project: http://git-wip-us.apache.org/repos/asf/logging-log4net/repo Commit: http://git-wip-us.apache.org/repos/asf/logging-log4net/commit/d0b4b015 Tree: http://git-wip-us.apache.org/repos/asf/logging-log4net/tree/d0b4b015 Diff: http://git-wip-us.apache.org/repos/asf/logging-log4net/diff/d0b4b015 Branch: refs/heads/feature/cd-pipeline Commit: d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Parents: c04a774 Author: Dominik Psenner <dpsen...@apache.org> Authored: Tue Sep 12 09:15:08 2017 +0200 Committer: Dominik Psenner <dpsen...@apache.org> Committed: Tue Sep 12 11:06:38 2017 +0200 ---------------------------------------------------------------------- src/Config/XmlConfigurator.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/logging-log4net/blob/d0b4b015/src/Config/XmlConfigurator.cs ---------------------------------------------------------------------- diff --git a/src/Config/XmlConfigurator.cs b/src/Config/XmlConfigurator.cs index 5b11d98..0051377 100644 --- a/src/Config/XmlConfigurator.cs +++ b/src/Config/XmlConfigurator.cs @@ -736,9 +736,9 @@ namespace log4net.Config #if NETSTANDARD1_3 // TODO DtdProcessing.Parse not yet available (https://github.com/dotnet/corefx/issues/4376) settings.DtdProcessing = DtdProcessing.Ignore; #elif !NET_4_0 && !MONO_4_0 - settings.ProhibitDtd = false; + settings.ProhibitDtd = true; #else - settings.DtdProcessing = DtdProcessing.Parse; + settings.DtdProcessing = DtdProcessing.Ignore; #endif // Create a reader over the input stream