When set to true, the XmlReader throws an XmlException when any DTD content is encountered. Do not enable DTD processing if you are concerned about Denial of Service issues or if you are dealing with untrusted sources.
If you have DTD processing enabled, you can use the XmlSecureResolver to restrict the resources that the XmlReader can access. You can also design your application so that the XML processing is memory and time constrained. For example, configure time-out limits in your ASP.NET application.
有人可以解释一下这个问题吗?
为什么阅读器应用程序要禁止检索 DTD?如果是阅读应用程序,拒绝服务问题在哪里?提到的“信任”问题是什么?
谢谢
最佳答案
看看MSDN Magazine这解释了与 DTD 相关的攻击。总之,可以创建一个相对较短的 XML 文件,当由于 DTD 而扩展时,它会消耗大量 MB 的 RAM,使处理机器饿死。
关于.NET:XmlReaderSettings 中 ProhibitDtd 属性的用途是什么?为什么 DTD 是一个安全问题?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/2556181/