DTD prohibited error in M-Files 2018 file sources
Posted by Henri Huhtamäki (M-Files) on 31 January 2019 03:05 PM
M-Files 2018 prohibits the use of DTD references in XML when importing files from an external file source and reading metadata from an accompanying XML file.
Impacted Products and Versions
M-Files version 2018 onwards.
When importing an object from a file source and reading metadata from an accompanying XML that references a DTD, the object is imported but metadata mappings are skipped.
An example XML. DOCTYPE is the reference to the DTD.
A file source is set up to read metadata from Test.xml. Files will be imported from the file source but the property mappings from XML will be skipped.
The import produces an error to windows event logs:
Cause and Reason
M-Files 2015.3 uses MSXML 3.0 but M-Files 2018 uses MSXML 6.0. In version 6.0 the "ProhibitDTD" is as default set to "True" as it has security implications.
DTDs can be used to create an attack on the XML parser of the computer.
Please see the following Wikipedia page for an example of such an attack https://en.wikipedia.org/wiki/Billion_laughs_attack
Solution / Workaround
Remove the DTD reference from XML before using it in import. This will include some programmatical preprocessing work for the XMLs.
There is an improvement suggestion to M-Files R&D to make the DTD prohibition configurable.