Signs on the Sand: .NET 2.0 prohibits DTD in XML by default

Random photo

Domains for sale

UltraBuilder.com
MobileOcean.com
SmartScripting.com
XPath.info
XSL.info
exodus.mobi
hydra.mobi
OpenTalk.mobi
XLinq.net

May 4, 2005

.NET 2.0 prohibits DTD in XML by default

Yep, no DTD is allowed by default in the .NET 2.0 Beta2:

XmlReaderSettings.ProhibitDtd Property (System.Xml)
Gets or sets a value indicating whether to prohibit document type definition (DTD) processing.

Return Value
true to prohibit DTD processing; otherwise false. The default is true.

Remarks
This setting can be useful in preventing certain denial of service attacks. When set to true, the reader throws an System.Xml.XmlException when any DTD content is encountered.

That's for sure contradicts "Allow all XML syntax" gospel, but looks like Microsoft takes security very seriously nowadays. Well, at least Microsoft's XML team. Most likely that was a hard decision, but may be not since what are the options here in the face of the billions of laughs attack? If 1Kb well-formed XML document can hog all your CPU and memory when you just open it in a browser, which processes DTD, such as IE?

Well, sure it's just a default value and can be changed. But defaults are more than just defaults and I bet most .NET 2.0 applications won't accept XML with DTD. That's sort of a milestone in XML history.

del.ico.us |

digg it |

May 4, 2005 6:29 PM | #System.Xml v2.0

Comments

I'd prefer less disruptive way for sure... But which one do you mean?

Posted by: Oleg Tkachenko at May 4, 2005 10:45 PM

But is it a step into the right direction?

There are less disruptive ways to defend against that kind of attack...

Posted by: Julian Reschke at May 4, 2005 10:23 PM