File log4net-fix-CVE-2018-1285.patch of Package log4net

Overview Repositories Revisions Requests Users Attributes Meta

File log4net-fix-CVE-2018-1285.patch of Package log4net

From d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Mon Sep 17 00:00:00 2001
From: Dominik Psenner <dpsenner@apache.org>
Date: Tue, 12 Sep 2017 09:15:08 +0200
Subject: [PATCH] XmlConfigurator: do longer allow dtd processing across all
 platforms (LOG4NET-575)

This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security
vulnerability was found in the way how log4net parses xml configuration files where it
allowed to process XML External Entity Processing. An attacker could use this as an
attack vector if he could modify the XML configuration file.
---
 src/Config/XmlConfigurator.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
===================================================================
--- log4net-1.2.10.orig/log4net-1.2.10/src/Config/XmlConfigurator.cs
+++ log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
@@ -621,7 +621,7 @@ namespace log4net.Config
 #elif NET_2_0
 					// Allow the DTD to specify entity includes
 					XmlReaderSettings settings = new XmlReaderSettings();
-					settings.ProhibitDtd = false;
+					settings.ProhibitDtd = true;
 
 					// Create a reader over the input stream
 					XmlReader xmlReader = XmlReader.Create(configStream, settings);

Places

File log4net-fix-CVE-2018-1285.patch of Package log4net

Places