DOC: Clarification: XmlResolver.Credentials Property Documentation (317492)


The information in this article applies to:

  • Microsoft Visual Studio .NET (2002), Professional Edition
  • Microsoft XML Classes (included with the .NET Framework 1.0)
This article was previously published under Q317492

SUMMARY

The XmlResolver.Credentials Property MSDN documentation states the following:

If credentials are needed but not supplied, the resolver uses default credentials (CredentialCache.DefaultCredentials).

The following statement should be added:

To avoid malicious requests to protected Web sites, do not use DefaultCredentials. Use the credentials set by user.

MORE INFORMATION

XmlResolver resolves external XML resources, such as entities, DTDs, and schemas. It also processes include and import elements in Extensible Stylesheet Language (XSL) stylesheets or XML Schema Definition language (XSD) schemas.

One security risk of using default credentials is that if the Simple Object Access Protocol (SOAP) message is processed by a computer inside a network that is protected by a firewall, the HTTP request that is generated for the external reference may be able to access computers that are not accessible from outside the firewall. These requests may also access ports other than port 80, which may expose even more risk.

REFERENCES

For more information about XmlResolver, refer to the .NET Developer's Center or the following Microsoft Web site:

Resolve External XML Resources Named by a URI
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconresolveexternalxmlresourcesnamedbyuri.asp

Modification Type:MajorLast Reviewed:9/24/2003
Keywords:kbdocerr kbfix kbprb KB317492
©2003 Microsoft Corporation. All rights reserved.