From 3242db510c27e825af7164415402f5012df521a2 Mon Sep 17 00:00:00 2001
From: Dominik Psenner <dpsenner@apache.org>
Date: Tue, 12 Sep 2017 09:15:08 +0200
Subject: [PATCH] XmlConfigurator: do longer allow dtd processing across all
 platforms (LOG4NET-575)

This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security
vulnerability was found in the way how log4net parses xml configuration files where it
allowed to process XML External Entity Processing. An attacker could use this as an
attack vector if he could modify the XML configuration file.
---
 src/log4net/Config/XmlConfigurator.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/log4net/Config/XmlConfigurator.cs b/src/log4net/Config/XmlConfigurator.cs
index e6c66956..c9637309 100644
--- a/src/log4net/Config/XmlConfigurator.cs
+++ b/src/log4net/Config/XmlConfigurator.cs
@@ -721,10 +721,10 @@ static private void InternalConfigure(ILoggerRepository repository, Stream confi
                                         // is obsolete: 'Use XmlReaderSettings.DtdProcessing property instead.'
 #if NETSTANDARD1_3 // TODO DtdProcessing.Parse not yet available (https://github.com/dotnet/corefx/issues/4376)
 					settings.DtdProcessing = DtdProcessing.Ignore;
-#elif !NET_4_0 && !MONO_4_0 && !NETSTANDARD2_0
-					settings.ProhibitDtd = false;
+#elif !NET_4_0 && !MONO_4_0
+					settings.ProhibitDtd = true;
 #else
-					settings.DtdProcessing = DtdProcessing.Parse;
+					settings.DtdProcessing = DtdProcessing.Ignore;
 #endif
 
 					// Create a reader over the input stream