Mitigates the XML DTD DoS attack from expanding entities.

Fixes #209

2 files changed, 4 insertions, 2 deletions

diff --git a/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs b/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs
index 8265c75..3189a5d 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs
@@ -77,7 +77,8 @@ namespace DotNetOpenAuth.OpenId {
 			Contract.Ensures(Contract.Result<XrdsDocument>() != null);
 			XrdsDocument doc;
 			using (var xrdsResponse = Yadis.Request(requestHandler, GetXrdsUrl(identifier), identifier.IsDiscoverySecureEndToEnd)) {
-				doc = new XrdsDocument(XmlReader.Create(xrdsResponse.ResponseStream));
+				var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
+				doc = new XrdsDocument(XmlReader.Create(xrdsResponse.ResponseStream, readerSettings));
 			}
 			ErrorUtilities.VerifyProtocol(doc.IsXrdResolutionSuccessful, OpenIdStrings.XriResolutionFailed);
 			return doc;
diff --git a/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs b/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs
index f71ad46..a23e019 100644
--- a/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs
+++ b/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs
@@ -190,7 +190,8 @@ namespace DotNetOpenAuth.Yadis {
 			if (response.ContentType.MediaType == ContentTypes.Xml) {
 				// This COULD be an XRDS document with an imprecise content-type.
 				response.ResponseStream.Seek(0, SeekOrigin.Begin);
-				XmlReader reader = XmlReader.Create(response.ResponseStream);
+				var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
+				XmlReader reader = XmlReader.Create(response.ResponseStream, readerSettings);
 				while (reader.Read() && reader.NodeType != XmlNodeType.Element) {
 					// intentionally blank
 				}