<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API



there is an attribute in .net to serialize all your attributes... "long" type 
may not be serializable by default (no idea why)...

example :

        [XmlRootAttribute("item", IsNullable = false)]
        public class MenuData
        {
                [XmlAttribute("Label")]
                public string MenuLabel = string.Empty;
                [XmlAttribute("Link")]
                public string MenuLink = string.Empty;
                [XmlArrayAttribute("Links", IsNullable=false)]
                public string[] MenuLinks;
                public MenuData()
                {
                }
        }

        [XmlRootAttribute("Menu", IsNullable = false )]
        public class Menu
        {
                [XmlArrayAttribute("Items")]
                public MenuData []MenuItems;
                
                public Menu()
                {
                }

        }

                public void SaveMenu()
                {
                        XmlSerializer serializer = new 
XmlSerializer(typeof(Menu));
                        TextWriter writer = new StreamWriter(MenuFile);
                        serializer.Serialize(writer, myMenu);
                        writer.Close();
                }

                private void GetMenu()
                {
                        XmlSerializer serializer = new 
XmlSerializer(typeof(Menu));
                        FileStream fs = new FileStream(MenuFile, 
FileMode.Open,System.IO.FileAccess.Read);
                        myMenu = (Menu)serializer.Deserialize(fs);
                        fs.Close();
                }


ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
  <Items>
    <MenuData Label="Quit" Link="/logoff.aspx" />
    <MenuData Label="Notify users" Link="/notify.aspx" />
    <MenuData Label="Admin" Link="/admin/login.aspx">
      <Links>
        <string>/admin/subpage.aspx</string>
        <string>/admin/otherpage.aspx</string>
      </Links>
    </MenuData>
    <MenuData Label="Users" Link="/userlist.aspx" />
  </Items>
</Menu>


this works..... I don't see any security issue !! some attributes won't be 
serializable by default...