[ODATA-461] Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: V4.0_WD01
Fix Version/s: CN01
Component/s: Securing OData
Labels:
None
Environment:

[Proposed]

Proposal:

Hide

Servers should reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.

Clients may reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.

Accepted: https://www.oasis-open.org/committees/download.php/50225/odata-meeting-48_on-20130808-minutes.html#odata-461

Show
Servers should reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions. Clients may reject XML documents with XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions. Accepted: https://www.oasis-open.org/committees/download.php/50225/odata-meeting-48_on-20130808-minutes.html#odata-461

Description

Considering the XML security vulnerabilities detailed in:

http://stackoverflow.com/questions/1906927/xml-vulnerabilities

it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData.

Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"):

(1) XML DOCTYPE definitions
(2) XML ENTITY definitions
(3) XML processing instructions

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Evan Ireland

Watchers:

1 Start watching this issue

Dates

Created:

20/Jun/13 7:41 PM

Updated:

22/Mar/24 10:12 PM

Resolved:

12/Aug/13 7:24 AM