Skip to content

Commit

Permalink
XmlConfigurator: do longer allow dtd processing across all platforms …
Browse files Browse the repository at this point in the history 
…(LOG4NET-575)

This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security
vulnerability was found in the way how log4net parses xml configuration files where it
allowed to process XML External Entity Processing. An attacker could use this as an
attack vector if he could modify the XML configuration file.
  • Loading branch information
@dpsenner @fluffynuts
dpsenner authored and fluffynuts committed Sep 6, 2020
1 parent c728a70 commit 3242db5
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/log4net/Config/XmlConfigurator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -721,10 +721,10 @@ static private void InternalConfigure(ILoggerRepository repository, Stream confi
// is obsolete: 'Use XmlReaderSettings.DtdProcessing property instead.'
#if NETSTANDARD1_3 // TODO DtdProcessing.Parse not yet available (https://github.com/dotnet/corefx/issues/4376)
settings.DtdProcessing = DtdProcessing.Ignore;
#elif !NET_4_0 && !MONO_4_0 && !NETSTANDARD2_0
settings.ProhibitDtd = false;
#elif !NET_4_0 && !MONO_4_0
settings.ProhibitDtd = true;
#else
settings.DtdProcessing = DtdProcessing.Parse;
settings.DtdProcessing = DtdProcessing.Ignore;
#endif

// Create a reader over the input stream
Expand Down

0 comments on commit 3242db5

Please # to comment.