Bugtraq mailing list archives
Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API
From: darkangel.stt () gmail com
Date: 14 Sep 2005 11:17:13 -0000
there is an attribute in .net to serialize all your attributes... "long" type may not be serializable by default (no
idea why)...
example :
[XmlRootAttribute("item", IsNullable = false)]
public class MenuData
{
[XmlAttribute("Label")]
public string MenuLabel = string.Empty;
[XmlAttribute("Link")]
public string MenuLink = string.Empty;
[XmlArrayAttribute("Links", IsNullable=false)]
public string[] MenuLinks;
public MenuData()
{
}
}
[XmlRootAttribute("Menu", IsNullable = false )]
public class Menu
{
[XmlArrayAttribute("Items")]
public MenuData []MenuItems;
public Menu()
{
}
}
public void SaveMenu()
{
XmlSerializer serializer = new XmlSerializer(typeof(Menu));
TextWriter writer = new StreamWriter(MenuFile);
serializer.Serialize(writer, myMenu);
writer.Close();
}
private void GetMenu()
{
XmlSerializer serializer = new XmlSerializer(typeof(Menu));
FileStream fs = new FileStream(MenuFile, FileMode.Open,System.IO.FileAccess.Read);
myMenu = (Menu)serializer.Deserialize(fs);
fs.Close();
}
ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<Items>
<MenuData Label="Quit" Link="/logoff.aspx" />
<MenuData Label="Notify users" Link="/notify.aspx" />
<MenuData Label="Admin" Link="/admin/login.aspx">
<Links>
<string>/admin/subpage.aspx</string>
<string>/admin/otherpage.aspx</string>
</Links>
</MenuData>
<MenuData Label="Users" Link="/userlist.aspx" />
</Items>
</Menu>
this works..... I don't see any security issue !! some attributes won't be serializable by default...
Current thread:
- Serious Security issue with broken - Microsoft's .Net XML Serialization API Rohit (Sep 13)
- <Possible follow-ups>
- Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API darkangel . stt (Sep 15)