防止XmlReader扩展XML实体 [英] Prevent XmlReader from expanding XML entities
问题描述
有没有一种方法可以防止.NET的 XmlReader
类在读取内容时将XML实体扩展为它们的值?
Is there a way to prevent .NET's XmlReader
class from expanding XML entities into their value when reading the content?
例如,假设使用以下XML作为输入:
For instance, suppose the following XML is used as input:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE author PUBLIC "ISO 8879:1986//ENTITIES Added Latin 1//EN//XML" "http://www.oasis-open.org/docbook/xmlcharent/0.3/iso-lat1.ent" >
<author>á</author>
让我们假设无法达到扩展实体规模所需的外部OASIS DTD。我希望读者依次阅读author元素,然后依次读取 EntityReference
类型的敏锐节点,最后是author end元素,而不会引发任何错误。如何实现呢?
Let's assume it is not possible to reach the external OASIS DTD needed for the expansion of the aacute entity. I would like the reader to read, in sequence, the author element, then the aacute node of type EntityReference
, and finally the author end element, without throwing any errors. How can I achieve this?
更新:我还想防止诸如&#x00E1; $ c之类的字符实体扩展$ c>。
UPDATE: I also want to prevent the expansion of character entities such as á
.
推荐答案
XML解析很危险。在某些情况下,它允许CVE和拒绝服务攻击。
XML parsing is dangerous. In some cases it allows to CVEs and Denial-of-Service attacks.
最感兴趣的文档是 MLDTDEntityAttacks
,它为开发人员提供了实现和建议。
The most interested document is MLDTDEntityAttacks that provides Implementations and Recomendations for developers.
检索资源:
<!DOCTYPE roottag [
<!ENTITY windowsfile SYSTEM "file:///c:/boot.ini">
]>
<roottag>
<sometag>&windowsfile;</sometag>
</roottag>
DoS :
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE root
[
<!ENTITY a0 "test" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<root>&a4;</root>
回到您的问题。
正如@Evk写道:
通过设置 EntityHandling 您可以阻止扩展除CharEntities以外的所有实体。
Back to your question.
As @Evk wrote:
By setting EntityHandling you can prevent from expanding all entities except CharEntities.
除了您自己的XmlReader实现之外,我不知道阻止扩展CharEntity的解决方案。
I dont know solution to prevent expand CharEntity except your own XmlReader implementation.
我想您还想防止解析& amp; &’ & lt; & gt; & quot;
仅供参考 XmlTextReader解析CharEntity的方式和位置
XmlTextReader
ParseElementContent
&情况
ParseText
Char实体案例
ParseCharRefInline
此函数最终解析数字字符实体引用(例如&#32;
和&#x00E1;
)
ParseNumericCharRefInline
FYI how and where XmlTextReader parses CharEntity
XmlTextReader
ParseElementContent
& case
ParseText
Char entity case
ParseCharRefInline
This function finally parses numeric character entity reference (e.g.  
and á
)
ParseNumericCharRefInline
此函数解析命名字符实体引用(& amp;& lt;& gt;& quot;
)
ParseNamedCharRef
这篇关于防止XmlReader扩展XML实体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!