XmlConfigurator: do longer allow dtd processing across all platforms (LOG4NET-575) This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could use this as an attack vector if he could modify the XML configuration file.

commit: 3242db510c27e825af7164415402f5012df521a2 [log] [tgz]
author: Dominik Psenner <dpsenner@apache.org> Tue Sep 12 09:15:08 2017 +0200
committer: Davyd McColl <davydm@gmail.com> Sun Sep 06 19:48:39 2020 +0200
tree: b0e2e9c107224a895c80b7f051fa6a4b32fce483
parent: c728a7065036c641adba471c2a3d79b5a5786c0e [diff]
diff --git a/src/log4net/Config/XmlConfigurator.cs b/src/log4net/Config/XmlConfigurator.cs
index e6c6695..c963730 100644
--- a/src/log4net/Config/XmlConfigurator.cs
+++ b/src/log4net/Config/XmlConfigurator.cs

@@ -721,10 +721,10 @@
                                         // is obsolete: 'Use XmlReaderSettings.DtdProcessing property instead.'
 #if NETSTANDARD1_3 // TODO DtdProcessing.Parse not yet available (https://github.com/dotnet/corefx/issues/4376)
 					settings.DtdProcessing = DtdProcessing.Ignore;
-#elif !NET_4_0 && !MONO_4_0 && !NETSTANDARD2_0
-					settings.ProhibitDtd = false;
+#elif !NET_4_0 && !MONO_4_0
+					settings.ProhibitDtd = true;
 #else
-					settings.DtdProcessing = DtdProcessing.Parse;
+					settings.DtdProcessing = DtdProcessing.Ignore;
 #endif
 
 					// Create a reader over the input stream
commit	3242db510c27e825af7164415402f5012df521a2	[log] [tgz]
author	Dominik Psenner <dpsenner@apache.org>	Tue Sep 12 09:15:08 2017 +0200
committer	Davyd McColl <davydm@gmail.com>	Sun Sep 06 19:48:39 2020 +0200
tree	b0e2e9c107224a895c80b7f051fa6a4b32fce483
parent	c728a7065036c641adba471c2a3d79b5a5786c0e [diff]