Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security

XMLWordPrintable

    • Type: Improvement
    • Resolution: Fixed
    • Priority: Major
    • CN01
    • Affects Version/s: V4.0_WD01
    • Component/s: Securing OData
    • None
    • Environment:

      [Proposed]

    • Hide

      Servers should reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.

      Clients may reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.

      Accepted: https://www.oasis-open.org/committees/download.php/50225/odata-meeting-48_on-20130808-minutes.html#odata-461

      Show
      Servers should reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions. Clients may reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions. Accepted: https://www.oasis-open.org/committees/download.php/50225/odata-meeting-48_on-20130808-minutes.html#odata-461

      Considering the XML security vulnerabilities detailed in:

      http://stackoverflow.com/questions/1906927/xml-vulnerabilities

      it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData.

      Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"):

      (1) XML DOCTYPE definitions
      (2) XML ENTITY definitions
      (3) XML processing instructions

            Assignee:
            Unassigned
            Reporter:
            evan.ireland.2
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: