fix: apply SecureXmlReaderSettings to all XmlReader.Create calls

michaelcheers · michaelcheers · commit a66a3d7c17f0 · 2025-11-25T04:46:44.000-02:00
- Extract XmlReaderSettings as public static readonly field in ParserBase
- Apply secure settings to XmpReader and XfaForm XXE vulnerability fixes
- Addresses maintainer feedback to centralize configuration
diff --git a/src/iTextSharp.LGPLv2.Core/iTextSharp/text/pdf/XfaForm.cs b/src/iTextSharp.LGPLv2.Core/iTextSharp/text/pdf/XfaForm.cs
@@ -67,7 +67,7 @@ public XfaForm(PdfReader reader)
         }
 
         bout.Seek(offset: 0, SeekOrigin.Begin);
-        using var xtr = XmlReader.Create(bout);
+        using var xtr = XmlReader.Create(bout, xml.ParserBase.SecureXmlReaderSettings);
         _domDocument = new XmlDocument();
         _domDocument.PreserveWhitespace = true;
         _domDocument.Load(xtr);
diff --git a/src/iTextSharp.LGPLv2.Core/iTextSharp/text/xml/ParserBase.cs b/src/iTextSharp.LGPLv2.Core/iTextSharp/text/xml/ParserBase.cs
@@ -8,6 +8,16 @@ namespace iTextSharp.text.xml;
 /// </summary>
 public abstract class ParserBase
 {
+    /// <summary>
+    /// Secure XML reader settings that prevent XXE attacks (CVE-2017-9096)
+    /// by disabling DTD processing and external entity resolution.
+    /// </summary>
+    public static readonly XmlReaderSettings SecureXmlReaderSettings = new XmlReaderSettings
+    {
+        DtdProcessing = DtdProcessing.Prohibit,
+        XmlResolver = null
+    };
+
     /// <summary>
     ///     This method gets called when characters are encountered.
     /// </summary>
@@ -34,11 +44,7 @@ public void Parse(XmlDocument xDoc)
         var xml = xDoc.OuterXml;
         var stringReader = new StringReader(xml);
 
-        var reader = XmlReader.Create(stringReader, new XmlReaderSettings
-        {
-            DtdProcessing = DtdProcessing.Prohibit,
-            XmlResolver = null
-        });
+        var reader = XmlReader.Create(stringReader, SecureXmlReaderSettings);
         Parse(reader);
     }
 
@@ -120,11 +126,7 @@ public void Parse(XmlReader reader)
     public void Parse(string url)
     {
         var stringReader = new StringReader(File.ReadAllText(url));
-        var reader = XmlReader.Create(stringReader, new XmlReaderSettings
-        {
-            DtdProcessing = DtdProcessing.Prohibit,
-            XmlResolver = null
-        });
+        var reader = XmlReader.Create(stringReader, SecureXmlReaderSettings);
         Parse(reader);
     }
 
diff --git a/src/iTextSharp.LGPLv2.Core/iTextSharp/text/xml/xmp/XmpReader.cs b/src/iTextSharp.LGPLv2.Core/iTextSharp/text/xml/xmp/XmpReader.cs
@@ -28,7 +28,7 @@ public XmpReader(byte[] bytes)
         using var bout = new MemoryStream();
         bout.Write(bytes, 0, bytes.Length);
         bout.Seek(0, SeekOrigin.Begin);
-        using var xtr = XmlReader.Create(bout);
+        using var xtr = XmlReader.Create(bout, ParserBase.SecureXmlReaderSettings);
         _domDocument = new XmlDocument();
         _domDocument.PreserveWhitespace = true;
         _domDocument.Load(xtr);

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ public XfaForm(PdfReader reader)`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`bout.Seek(offset: 0, SeekOrigin.Begin);`
`70`		`- using var xtr = XmlReader.Create(bout);`
	`70`	`+ using var xtr = XmlReader.Create(bout, xml.ParserBase.SecureXmlReaderSettings);`
`71`	`71`	`_domDocument = new XmlDocument();`
`72`	`72`	`_domDocument.PreserveWhitespace = true;`
`73`	`73`	`_domDocument.Load(xtr);`