Commits

Christian Heimes  committed cd1c806

document features in stdlib
how to protect .NET and Java

  • Participants
  • Parent commits 429a7c2

Comments (0)

Files changed (1)

 Python XML Libraries
 ====================
 
-
 .. csv-table:: vulnerabilities and features
    :header: "kind", "sax", "etree", "minidom", "pulldom", "xmlrpc", "lxml", "genshi"
    :widths: 24, 7, 8, 8, 7, 8, 8, 8
    `Other things to consider`_
 
 
+Settings in standard library
+----------------------------
+
+
+xml.sax.handler Features
+........................
+
+feature_external_ges (http://xml.org/sax/features/external-general-entities)
+  disables external entity expansion
+
+feature_external_pes (http://xml.org/sax/features/external-parameter-entities)
+  the option is ignored and doesn't modify any functionality
+
+DOM xml.dom.xmlbuilder.Options
+..............................
+
+external_parameter_entities
+  ignored
+
+external_general_entities
+  ignored
+
+external_dtd_subset
+  ignored
+
+entities
+  unsure
+
+
 defusedxml
 ==========
 
 C# / .NET / Mono
 ----------------
 
-Untested. Information in `XML DoS and Defenses (MSDN)`_ suggest that .NET is
-vulnerable with its default settings.
+Information in `XML DoS and Defenses (MSDN)`_ suggest that .NET is
+vulnerable with its default settings. The article contains code snippets
+how to create a secure XML reader::
+
+  XmlReaderSettings settings = new XmlReaderSettings();
+  settings.ProhibitDtd = false;
+  settings.MaxCharactersFromEntities = 1024;
+  settings.XmlResolver = null;
+  XmlReader reader = XmlReader.Create(stream, settings);
 
 
 Java
 ``org.xml.sax.EntityResolver`` is configured. I'm not yet sure about the
 default setting here.
 
+Java specialists suggest to have a custom builder factory::
+
+  DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+  builderFactory.setXIncludeAware(False);
+  builderFactory.setExpandEntityReferences(False);
+  builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, True);
+  # either
+  builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", True);
+  # or if you need DTDs
+  builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", False);
+  builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", False);
+  builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", False);
+  builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", False);
+
 
 TODO
 ====