ad75b34de0
OBS-URL: https://build.opensuse.org/request/show/1001681 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/log4net?expand=0&rev=20
28 lines
1.3 KiB
Diff
28 lines
1.3 KiB
Diff
From d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Mon Sep 17 00:00:00 2001
|
|
From: Dominik Psenner <dpsenner@apache.org>
|
|
Date: Tue, 12 Sep 2017 09:15:08 +0200
|
|
Subject: [PATCH] XmlConfigurator: do longer allow dtd processing across all
|
|
platforms (LOG4NET-575)
|
|
|
|
This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security
|
|
vulnerability was found in the way how log4net parses xml configuration files where it
|
|
allowed to process XML External Entity Processing. An attacker could use this as an
|
|
attack vector if he could modify the XML configuration file.
|
|
---
|
|
src/Config/XmlConfigurator.cs | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
Index: log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
|
|
===================================================================
|
|
--- log4net-1.2.10.orig/log4net-1.2.10/src/Config/XmlConfigurator.cs
|
|
+++ log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
|
|
@@ -621,7 +621,7 @@ namespace log4net.Config
|
|
#elif NET_2_0
|
|
// Allow the DTD to specify entity includes
|
|
XmlReaderSettings settings = new XmlReaderSettings();
|
|
- settings.ProhibitDtd = false;
|
|
+ settings.ProhibitDtd = true;
|
|
|
|
// Create a reader over the input stream
|
|
XmlReader xmlReader = XmlReader.Create(configStream, settings);
|