From 370abc530f45c6e773939b6a8022bb3f8b24d5d2 Mon Sep 17 00:00:00 2001
From: Cheena Malhotra <v-chmalh@microsoft.com>
Date: Fri, 15 Jan 2021 15:39:32 -0800
Subject: [PATCH] Security Fix | Prohibit DtdProcessing on XmlTextReader
 instance in .NET Core

---
 .../src/Microsoft/Data/SqlClient/SqlDependencyListener.cs     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDependencyListener.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDependencyListener.cs
index 3fdcdebbec..6bf21e5a59 100644
--- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDependencyListener.cs
+++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlDependencyListener.cs
@@ -1155,8 +1155,8 @@ internal static SqlNotification ProcessMessage(SqlXml xmlMessage)
                         return null;
                     }
 
-                    // Create a new XmlTextReader on the Message node value.
-                    using (XmlTextReader xmlMessageReader = new XmlTextReader(xmlReader.Value, XmlNodeType.Element, null))
+                    // Create a new XmlTextReader on the Message node value. Prohibit DTD processing when dealing with untrusted sources.
+                    using (XmlTextReader xmlMessageReader = new XmlTextReader(xmlReader.Value, XmlNodeType.Element, null) { DtdProcessing = DtdProcessing.Prohibit })
                     {
                         // Proceed to the Text Node.
                         if (!xmlMessageReader.Read())