C# - 针对本地 .xsd 安全问题验证 xml 文件 [英] C# - Validating xml file against local .xsd security issues

问题描述

这不是安全问题吗?即使根据架构验证了 xml，攻击者仍然可以修改本地 .xsd 文件并将其更改为允许他们想要的任何内容..xsd 文件应该放在哪里?如果它存储在安全位置，您将如何安全地访问此类文件，以便您可以将其用于 .NET 中的 xml 验证

Is this not a security issue? Even if the xml is validated against the schema, an attacker could still modify the local .xsd file and change it to allow whatever they want. Where should .xsd files be located? And how would you access such a file securely if its stored in a secure location so you can use it for your xml validation in .NET

推荐答案

您无法阻止在完成验证的机器上具有管理员权限的人伪造模式验证，但是您可以并且应该采取的一个步骤是防止伪造 XML 文件的始作俑者.

You can't stop someone with admin rights on the machine where validation is done faking the schema validation, but one step you can and should take is to prevent the originator of the XML file from faking it.

如果您因为不相信文件有效而进行验证，则不要使用 xsi:schemaLocation 机制来定位架构.使用从接收应用程序提供架构位置的验证 API，而不是从实例文档中获取它.

If you are doing validation because you don't trust the file to be valid, then don't use the xsi:schemaLocation mechanism to locate the schema. Use a validation API that supplies the schema location from the receiving application, rather than getting it from the instance document.

如果您想非常小心，请确保通过将文档发送到要验证的安全服务器来完成验证，并让您的安全服务器返回带有确认其有效性的数字签名的文档副本.

If you want to be really careful, ensure that validation is done by sending the document to a secure server to be validated, and having your secure server return a copy of the document with a digital signature confirming its validity.

这篇关于C# - 针对本地 .xsd 安全问题验证 xml 文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！