diff options
author | Christian Heimes <christian@python.org> | 2013-02-17 16:55:11 +0100 |
---|---|---|
committer | Christian Heimes <christian@python.org> | 2013-02-17 16:55:11 +0100 |
commit | 4db4d0fa8b06ffaabb38822bd7c7387b098384e1 (patch) | |
tree | 0b3cd26e75843884d89f3b7348bc0765b095578a | |
parent | f724b31ed9f51cd76911ba0c97680c920e51296a (diff) | |
download | defusedxml-git-4db4d0fa8b06ffaabb38822bd7c7387b098384e1.tar.gz |
document features in stdlib
how to protect .NET and Java
-rw-r--r-- | README.txt | 55 |
1 files changed, 52 insertions, 3 deletions
@@ -175,7 +175,6 @@ apply to this issue as well. Python XML Libraries ==================== - .. csv-table:: vulnerabilities and features :header: "kind", "sax", "etree", "minidom", "pulldom", "xmlrpc", "lxml", "genshi" :widths: 24, 7, 8, 8, 7, 8, 8, 8 @@ -208,6 +207,35 @@ Python XML Libraries `Other things to consider`_ +Settings in standard library +---------------------------- + + +xml.sax.handler Features +........................ + +feature_external_ges (http://xml.org/sax/features/external-general-entities) + disables external entity expansion + +feature_external_pes (http://xml.org/sax/features/external-parameter-entities) + the option is ignored and doesn't modify any functionality + +DOM xml.dom.xmlbuilder.Options +.............................. + +external_parameter_entities + ignored + +external_general_entities + ignored + +external_dtd_subset + ignored + +entities + unsure + + defusedxml ========== @@ -559,8 +587,15 @@ have no effect on entity expansion in PHP 5.4.6. C# / .NET / Mono ---------------- -Untested. Information in `XML DoS and Defenses (MSDN)`_ suggest that .NET is -vulnerable with its default settings. +Information in `XML DoS and Defenses (MSDN)`_ suggest that .NET is +vulnerable with its default settings. The article contains code snippets +how to create a secure XML reader:: + + XmlReaderSettings settings = new XmlReaderSettings(); + settings.ProhibitDtd = false; + settings.MaxCharactersFromEntities = 1024; + settings.XmlResolver = null; + XmlReader reader = XmlReader.Create(stream, settings); Java @@ -572,6 +607,20 @@ default settings. It also does entity resolving when an ``org.xml.sax.EntityResolver`` is configured. I'm not yet sure about the default setting here. +Java specialists suggest to have a custom builder factory:: + + DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); + builderFactory.setXIncludeAware(False); + builderFactory.setExpandEntityReferences(False); + builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, True); + # either + builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", True); + # or if you need DTDs + builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", False); + builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", False); + builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", False); + builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", False); + TODO ==== |