Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API
From: darkangel.stt () gmail com
Date: 14 Sep 2005 11:17:13 -0000

there is an attribute in .net to serialize all your attributes... "long" type may not be serializable by default (no 
idea why)...

example :

        [XmlRootAttribute("item", IsNullable = false)]
        public class MenuData
        {
                [XmlAttribute("Label")]
                public string MenuLabel = string.Empty;
                [XmlAttribute("Link")]
                public string MenuLink = string.Empty;
                [XmlArrayAttribute("Links", IsNullable=false)]
                public string[] MenuLinks;
                public MenuData()
                {
                }
        }

        [XmlRootAttribute("Menu", IsNullable = false )]
        public class Menu
        {
                [XmlArrayAttribute("Items")]
                public MenuData []MenuItems;
                
                public Menu()
                {
                }

        }

                public void SaveMenu()
                {
                        XmlSerializer serializer = new XmlSerializer(typeof(Menu));
                        TextWriter writer = new StreamWriter(MenuFile);
                        serializer.Serialize(writer, myMenu);
                        writer.Close();
                }

                private void GetMenu()
                {
                        XmlSerializer serializer = new XmlSerializer(typeof(Menu));
                        FileStream fs = new FileStream(MenuFile, FileMode.Open,System.IO.FileAccess.Read);
                        myMenu = (Menu)serializer.Deserialize(fs);
                        fs.Close();
                }


ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
  <Items>
    <MenuData Label="Quit" Link="/logoff.aspx" />
    <MenuData Label="Notify users" Link="/notify.aspx" />
    <MenuData Label="Admin" Link="/admin/login.aspx">
      <Links>
        <string>/admin/subpage.aspx</string>
        <string>/admin/otherpage.aspx</string>
      </Links>
    </MenuData>
    <MenuData Label="Users" Link="/userlist.aspx" />
  </Items>
</Menu>


this works..... I don't see any security issue !! some attributes won't be serializable by default...


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]