-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The XslTransformation task is unable to transform XML files containing DTD #5810
Comments
Team Triage: We're not sure we want to take a fix on this, as it's a security issue. Note that the docs on XmlReaderSettings.DtdProcessing state that the default should be Related issue: http://vstfdevdiv:8080/DevDiv2/DevDiv/_workitems/edit/1043311 |
I don't have access to http://vstfdevdiv:8080/DevDiv2/DevDiv/_workitems/edit/1043311 so I don't know about its content. However, here's my general view regarding that topic: MSBuild tasks are to the design of build processes what .NET (or any other technology) APIs are to the design of software systems. If the .NET framework is improperly used, you can end up with nasty security problems and a whole array of other issues. But if you'd lock down the .NET framework in order to prevent certain things from being done you'd severely limit its usefulness. The same applies to MSBuild tasks. If used improperly, you can create lots of problems as well. Use the So, I think the MSBuild tasks should strive to be simple and secure to use BUT at the same time be flexible and powerful enough to Currently, there are three tasks shipped together with MSBuild that are designed to manipulate XML. These task behave differently in terms of DTD:
So, I think a better approach would be to change all three tasks to prohibit DTD by default which would make them save to use by default. However, all three tasks should then be equipped with a property that would enable DTD. That would make them capable of dealing with more than just the happy case. From my perspective, that would be a good trade-off between ease-of-use and security. So, I would add the Note that the part of the argumentation for introducing that property on
(see here). The argument above contains a valid point from my perspective. Security is a concern but shielding the tasks with a property would properly address that concern from my perspective. |
Just a heads up, this is still being discussed internally. |
Issue Description
Attempting to transform an XML file that begins with a Document Type Definition (DTD) using MSBuild's
XslTransformation
task results in the following error message:Steps to Reproduce
Run the following sample project using MSBuild in order to get the above mentioned error message:
Deleting the line
<!DOCTYPE note SYSTEM "Note.dtd">
results in a proper transformation.Analysis
Line 222 of the
XslTransformation
source code sets theDtdProcessing
property of theXmlReaderSettings
object that is used toDtdProcessing.Ignore
. This prevents XML files containing DTDs from being transformed. To be able to transform such files the property would need to be set toDtdProcessing.Parse
..NET offers this property to prevent denial of service attacks (see here for more info). However, I'm not sure whether that would be an issue in an MSBuild task. If so, it would make sense to expose a property that changes the value of the
DtdProcessing
property.Not being able to transform DTD containing XML files is just cumbersome. You'd need to remove all DTD lines before the transformation and insert them again afterwards.
The text was updated successfully, but these errors were encountered: