Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API
From: darkangel.stt () gmail com
Date: 14 Sep 2005 11:17:13 -0000

there is an attribute in .net to serialize all your attributes... "long" type may not be serializable by default (no 
idea why)...

example :

        [XmlRootAttribute("item", IsNullable = false)]
        public class MenuData
                public string MenuLabel = string.Empty;
                public string MenuLink = string.Empty;
                [XmlArrayAttribute("Links", IsNullable=false)]
                public string[] MenuLinks;
                public MenuData()

        [XmlRootAttribute("Menu", IsNullable = false )]
        public class Menu
                public MenuData []MenuItems;
                public Menu()


                public void SaveMenu()
                        XmlSerializer serializer = new XmlSerializer(typeof(Menu));
                        TextWriter writer = new StreamWriter(MenuFile);
                        serializer.Serialize(writer, myMenu);

                private void GetMenu()
                        XmlSerializer serializer = new XmlSerializer(typeof(Menu));
                        FileStream fs = new FileStream(MenuFile, FileMode.Open,System.IO.FileAccess.Read);
                        myMenu = (Menu)serializer.Deserialize(fs);

ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
    <MenuData Label="Quit" Link="/logoff.aspx" />
    <MenuData Label="Notify users" Link="/notify.aspx" />
    <MenuData Label="Admin" Link="/admin/login.aspx">
    <MenuData Label="Users" Link="/userlist.aspx" />

this works..... I don't see any security issue !! some attributes won't be serializable by default...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]