Reputation: 1770
Foxpro: Is it possible to disable external entity resolution?
Based on the documentation found here: https://msdn.microsoft.com/en-us/library/we9s91f8(v=vs.71).aspx
It appears that Microsoft Visual FoxPro is capable of conducting DTD parsing from external sources.
"When you import XML using XMLTOCURSOR( ), Visual FoxPro uses an external or internal schema to determine the cursor or table structure. When no schema is provided, Visual FoxPro uses a "best guess" method to interpret XML data. This involves two passes through the XML, one to determine data structure and one to perform the actual conversion. Note that the XML, in addition to being well-formed, must generally conform to a format that can be interpreted as a table. Well-formed XML that is not easily deconstructed into a table format will fail to import"
However no information is given for how one might disable the parsing of external document schemas to prevent XML external entity injections. Is it possible to disable the parsing of external schemas, or must a strategy outside the language itself be employed to prevent the vulnerability?
Upvotes: 0
Views: 200
Answers (1)
Reputation: 23797
As Alan said, if you supply 8192 as a parameter, then it would append to existing cursor. If there is no existing cursor, then: It wouldn't parse with external schema if one is not included within the XML itself. If there is a schema inline within the XML, then you could still simply remove it using string operations. i.e.:
lcXML = FileToStr('c:\myfolder\my.xml')
lcXML = Strtran(m.lcXML, ;
StrExtract(m.lcXML,'<xsd:schema','</xsd:schema>',1,1+4), '')
Using the XmlAdapter class, you could load this XML using your own external schema.
Note: CursorToXML() and XMLToCursor() predates XMLAdapter class and have limited capabilities. For a much better experience and to work with complex valid XML use XMLAdapter class instead (I believe I have posted code on foxite about how to parse complex XML using XMLAdapter many years ago).
Note2: Although documentation says that it uses external or internal schema, I don't know a way to supply external schema (haven't tried if simply having an .xsd file with same name would do it, if it does, then you could simply delete it or read the xml and use the string in memory with XMLToCursor()).
Upvotes: 1
Related Questions
- How to configure the XML parser to disable external entity resolution in c#
- Sonar: Disable XML external entity (XXE) processing
- Veracode XML External Entity Reference (XXE)
- FoxPro and .NET COM without registration
- FoxPro ERP throwing "Numeric Overflow" error. No support
- WebLogic XML External Entity Resolution: Is there another way besides using the XML Registry?
- Invisible Foxpro views in linked server
- xsltproc suppress entity resolving
- A way to prevent special entity to be resolved in xslfo
- External entity reference in external dtd (xml)