.NET 2.0 prohibits DTD in XML by default

| 2 Comments | 1 TrackBack

Yep, no DTD is allowed by default in the .NET 2.0 Beta2:

XmlReaderSettings.ProhibitDtd Property (System.Xml)
Gets or sets a value indicating whether to prohibit document type definition (DTD) processing.

Return Value
true to prohibit DTD processing; otherwise false. The default is true.

This setting can be useful in preventing certain denial of service attacks. When set to true, the reader throws an System.Xml.XmlException when any DTD content is encountered.

That's for sure contradicts "Allow all XML syntax" gospel, but looks like Microsoft takes security very seriously nowadays. Well, at least Microsoft's XML team. Most likely that was a hard decision, but may be not since what are the options here in the face of the billions of laughs attack? If 1Kb well-formed XML document can hog all your CPU and memory when you just open it in a browser, which processes DTD, such as IE?

Well, sure it's just a default value and can be changed. But defaults are more than just defaults and I bet most .NET 2.0 applications won't accept XML with DTD. That's sort of a milestone in XML history.

Related Blog Posts

1 TrackBack

TrackBack URL: http://www.tkachenko.com/cgi-bin/mt-tb.cgi/434

I bookmark del giorno #4 from Lorenzo Barbieri @ UGIblogs! on May 5, 2005 2:34 PM


I'd prefer less disruptive way for sure... But which one do you mean?

But is it a step into the right direction?

There are less disruptive ways to defend against that kind of attack...

Leave a comment