BugTraq
Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API Sep 14 2005 11:17AM
darkangel stt gmail com
there is an attribute in .net to serialize all your attributes... "long" type may not be serializable by default (no idea why)...

example :

[XmlRootAttribute("item", IsNullable = false)]
public class MenuData
{
[XmlAttribute("Label")]
public string MenuLabel = string.Empty;
[XmlAttribute("Link")]
public string MenuLink = string.Empty;
[XmlArrayAttribute("Links", IsNullable=false)]
public string[] MenuLinks;
public MenuData()
{
}
}

[XmlRootAttribute("Menu", IsNullable = false )]
public class Menu
{
[XmlArrayAttribute("Items")]
public MenuData []MenuItems;

public Menu()
{
}

}

public void SaveMenu()
{
XmlSerializer serializer = new XmlSerializer(typeof(Menu));
TextWriter writer = new StreamWriter(MenuFile);
serializer.Serialize(writer, myMenu);
writer.Close();
}

private void GetMenu()
{
XmlSerializer serializer = new XmlSerializer(typeof(Menu));
FileStream fs = new FileStream(MenuFile, FileMode.Open,System.IO.FileAccess.Read);
myMenu = (Menu)serializer.Deserialize(fs);
fs.Close();
}

ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Items>
<MenuData Label="Quit" Link="/logoff.aspx" />
<MenuData Label="Notify users" Link="/notify.aspx" />
<MenuData Label="Admin" Link="/admin/login.aspx">
<Links>
<string>/admin/subpage.aspx</string>
<string>/admin/otherpage.aspx</string>
</Links>
</MenuData>
<MenuData Label="Users" Link="/userlist.aspx" />
</Items>
</Menu>

this works..... I don't see any security issue !! some attributes won't be serializable by default...

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus