Disabling application/xml doesn't work

dimula · October 16, 2017, 9:20pm

Hi guys,

Issue:
We are trying to disable all application\xml requests to our service.
Following the configuration for ServiceStack we used:

protected virtual HostConfig GetConfiguration()
{
  return new HostConfig
  {
      EnableFeatures = Feature.All.Remove(Feature.Xml | Feature.Csv | Feature.Jsv | Feature.Soap),
      DebugMode = isInDebug,
      DefaultContentType = MimeTypes.Json,
  };
}

We test it with fiddler by sending the POST request to Authentication method.

POST http://localhost/meiwi/api/auth/qics HTTP/1.1
Host: localhost
Content-Type: application/xml
Accept: */ *

<?xml version="1.0" encoding="UTF-8" ?>
<h:Authenticate xmlns:h="http://schemas.servicestack.net/types">
<h:UserName>userName</h:UserName>
<h:Password>password</h:Password>
</h:Authenticate>

It works as expected. The response is:
Error: UnauthorizedAccessException ‘Xml’ Features have been disabled by your administrator

But, if you remove the Accept mime then the login is succeeded.

POST http://localhost/meiwi/api/auth/qics HTTP/1.1
Host: localhost
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8" ?>
<h:Authenticate  xmlns:h="http://schemas.servicestack.net/types">
<h:UserName>userName</h:UserName>
<h:Password>password</h:Password>
</h:Authenticate>

Environment:
ServiceStack v4.0.30319
.NET 4.5.2
Windows Server 2008 R2
IIS 7.5.7600

Questions:
Is it a bug?
How can I prevent application/xml handling by ServiceStack configuration?

Regards,
Dmitri

xplicit · October 17, 2017, 11:05am

Looks like a bug, because if add Accept: application/xml it returns Xml despite of Xml/Soap feature is disabled. But if disable Feature.Json only then XML responses are disabled.

dimula · October 17, 2017, 3:43pm

The response is actually json, but I want to protect the app from xml request parsing (DTD attacks)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Vary: Accept
Set-Cookie: ss-id=uFnNCz6zshfrE6PEgnPx; path=/; HttpOnly
Set-Cookie: ss-pid=bgCgIkos2Sr6WdtuGrzY; expires=Sat, 17-Oct-2037 15:43:49 GMT; path=/; HttpOnly
Set-Cookie: ss-opt=temp; expires=Sat, 17-Oct-2037 15:43:49 GMT; path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Tue, 17 Oct 2017 15:43:49 GMT
Content-Length: 127

{“sessionId”:“uFnNCz6zshfrE6PEgnPx”,“userName”:“admin”,“displayName”:“admin”,“responseStatus”:{},“meta”:{“timeout”:“12000000”}}

mythz · October 17, 2017, 11:03pm

This was due to giving built-in Content-Types special treatment that couldn’t be completely removed with the feature flag. I’ve now converted the built-in Content-Types into normal ones that can be registered and removed like other Content Types in this commit.

This change is available from v5 that’s now available on MyGet. Please checkout the v5 changes before upgrading.