Security Fix | Prohibit DtdProcessing on XmlTextReader instance in .NET Core (#885)

cheenamalhotra · web-flow · commit 57fa416bd6ce · 2021-01-18T14:52:20.000-08:00
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDependencyListener.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDependencyListener.cs
@@ -1155,8 +1155,8 @@ internal static SqlNotification ProcessMessage(SqlXml xmlMessage)
                         return null;
                     }
 
-                    // Create a new XmlTextReader on the Message node value.
-                    using (XmlTextReader xmlMessageReader = new XmlTextReader(xmlReader.Value, XmlNodeType.Element, null))
+                    // Create a new XmlTextReader on the Message node value. Prohibit DTD processing when dealing with untrusted sources.
+                    using (XmlTextReader xmlMessageReader = new XmlTextReader(xmlReader.Value, XmlNodeType.Element, null) { DtdProcessing = DtdProcessing.Prohibit })
                     {
                         // Proceed to the Text Node.
                         if (!xmlMessageReader.Read())

Original file line number	Diff line number	Diff line change
`@@ -1155,8 +1155,8 @@ internal static SqlNotification ProcessMessage(SqlXml xmlMessage)`
`1155`	`1155`	`return null;`
`1156`	`1156`	`}`
`1157`	`1157`
`1158`		`- // Create a new XmlTextReader on the Message node value.`
`1159`		`- using (XmlTextReader xmlMessageReader = new XmlTextReader(xmlReader.Value, XmlNodeType.Element, null))`
	`1158`	`+ // Create a new XmlTextReader on the Message node value. Prohibit DTD processing when dealing with untrusted sources.`
	`1159`	`+ using (XmlTextReader xmlMessageReader = new XmlTextReader(xmlReader.Value, XmlNodeType.Element, null) { DtdProcessing = DtdProcessing.Prohibit })`
`1160`	`1160`	`{`
`1161`	`1161`	`// Proceed to the Text Node.`
`1162`	`1162`	`if (!xmlMessageReader.Read())`