fix potential xxe attacks when parsing xml files

2017-08-14 09:52:51 +02:00
parent c19326dc3c
commit 35f2e95de2
5 changed files with 19 additions and 7 deletions
--- a/src/KeePassLib2Android/Keys/KcpKeyFile.cs
+++ b/src/KeePassLib2Android/Keys/KcpKeyFile.cs
@@ -254,7 +254,7 @@ namespace KeePassLib.Keys

 			try
 			{
-				XmlDocument doc = new XmlDocument();
+				XmlDocument doc = new XmlDocument() { XmlResolver = null };
 				doc.Load(ms);

 				XmlElement el = doc.DocumentElement;
--- a/src/keepass2android/ChallengeInfo.cs
+++ b/src/keepass2android/ChallengeInfo.cs
@@ -81,8 +81,7 @@ namespace KeeChallenge
 			{
 				sIn = App.Kp2a.GetOtpAuxFileStorage(ioc).OpenFileForRead(ioc);

-				XmlSerializer xs = new XmlSerializer(typeof (ChallengeInfo));
-                if (!inf.LoadStream(sIn)) return null;
+				if (!inf.LoadStream(sIn)) return null;
 			}
 			catch (Exception e)
 			{
@@ -103,7 +102,8 @@ namespace KeeChallenge
 			try
 			{
 				XmlReaderSettings settings = new XmlReaderSettings();
-				settings.CloseInput = true;                
+				settings.CloseInput = true;     
+           		settings.XmlResolver = null;
 				xml = XmlReader.Create(AuxFile,settings);
 			}
 			catch (Exception) 
--- a/src/keepass2android/PasswordActivity.cs
+++ b/src/keepass2android/PasswordActivity.cs
@@ -1283,7 +1283,11 @@ namespace keepass2android
 				{
 					
 					XmlSerializer xs = new XmlSerializer(typeof(OtpInfo));
-					_otpInfo = (OtpInfo)xs.Deserialize(new StringReader(otpInfoString));
+
+					XmlReaderSettings settings = new XmlReaderSettings() { XmlResolver = null, DtdProcessing = DtdProcessing.Ignore };
+					var reader = XmlReader.Create(new StringReader(otpInfoString), settings);
+				
+					_otpInfo = (OtpInfo)xs.Deserialize(reader);

 					var enteredOtps = savedInstanceState.GetStringArrayList(EnteredOtpsKey);

--- a/src/keepass2android/addons/OtpKeyProv/OtpAuxCachingFileStorage.cs
+++ b/src/keepass2android/addons/OtpKeyProv/OtpAuxCachingFileStorage.cs
@@ -3,6 +3,7 @@ using System.Xml.Serialization;
 using KeePassLib.Serialization;
 using OtpKeyProv;
 using keepass2android.Io;
+using System.Xml;

 namespace keepass2android.addons.OtpKeyProv
 {
@@ -38,9 +39,13 @@ namespace keepass2android.addons.OtpKeyProv
 			OtpInfo remoteOtpInfo, localOtpInfo;
 			//load both files
 			XmlSerializer xs = new XmlSerializer(typeof(OtpInfo));
+
 			using (var cacheStream = File.OpenRead(cachedFilePath))
 			{	
-				localOtpInfo = (OtpInfo) xs.Deserialize(cacheStream);	
+				XmlReaderSettings settings = new XmlReaderSettings() { XmlResolver = null, DtdProcessing = DtdProcessing.Ignore};
+				var reader = XmlReader.Create(cacheStream, settings);
+				
+				localOtpInfo = (OtpInfo) xs.Deserialize(reader);	
 			}
 			using (Stream remoteStream = _cachedStorage.OpenFileForRead(ioc))
 			{
--- a/src/keepass2android/addons/OtpKeyProv/OtpInfo.cs
+++ b/src/keepass2android/addons/OtpKeyProv/OtpInfo.cs
@@ -174,7 +174,10 @@ namespace OtpKeyProv
 				sIn = App.Kp2a.GetOtpAuxFileStorage(ioc).OpenFileForRead(ioc);

 				XmlSerializer xs = new XmlSerializer(typeof (OtpInfo));
-				return (OtpInfo) xs.Deserialize(sIn);
+				XmlReaderSettings settings = new XmlReaderSettings() { XmlResolver = null, DtdProcessing = DtdProcessing.Ignore };
+				var reader = XmlReader.Create(sIn, settings);
+				
+				return (OtpInfo) xs.Deserialize(reader);
 			}
 			catch (Exception e)
 			{