drewnoakes
commented
8 years ago This looks great. Many thanks!
Yeah the NuGet requirement can be a bit of a pain. Workarounds are to either add the XMPCore project to the MetadataExtractor project temporarily (I think with project.json this works, though you have to set the dependency version to "*" from memory) or to set up a local NuGet feed on your machine. You can then publish local packages and configure VS to pull them down.
To package this project, use something like:
dotnet pack -c Release --version-suffix rc6 -o c:\LocalNuGetPackages
The only changes from 5.1.2 to 5.1.3 in Java involve disabling certain processing properties to stop XXE issues. ParseOptions holds this new option and should be good. The changes for the parser though should be reviewed. It was a challenge to make sure the equivalent items in .NET were set, although in 4.0 and after more of the required settings have correct defaults. I created a few new tests as well but please sanity check.
Lastly, I wasn't able to test it with metadata extractor like I have in the past. The nuget requirement makes that more difficult. If you know of an easy way to reference local assemblies, I'm all ears.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet https://www.jardinesoftware.net/2016/05/26/xxe-and-net/