.NET: What is the purpose of the ProhibitDtd property in XmlReaderSettings? Why is DTD a security issue?

Question

The documentation says:

When set to true, the XmlReader throws an XmlException when any DTD content is encountered. Do not enable DTD processing if you are concerned about Denial of Service issues or if you are dealing with untrusted sources.

If you have DTD processing enabled, you can use the XmlSecureResolver to restrict the resources that the XmlReader can access. You can also design your application so that the XML processing is memory and time constrained. For example, configure time-out limits in your ASP.NET application.

Can someone please explain the issue?

Why would a reader application want to prohibit the retrieval of a DTD? Where is the denial-of-service issue, if it is a reading application? What is the "trust" issue that is mentioned?

Thanks

Answer 1

Have a look at MSDN Magazine which explains the attack related to DTD. In summary, one can create a relatively short XML file which, when expanded because of the DTD, consumes lots of MB of RAM, starving the processing machine.