OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: SOAP, plague, love

[ Lists Home | Date Index | Thread Index ]
  • From: Edd Dumbill <edd@usefulinc.com>
  • To: Matt Sergeant <matt@sergeant.org>
  • Date: Sat, 6 May 2000 14:51:42 +0100

On Fri, May 05, 2000 at 09:45:01PM +0100, Matt Sergeant wrote:
> I was actually going to post something about this on mozillazine.org,
> since mozilla has just incorporated XML-RPC. I'm seriously worried about
> potential security holes there. I guess we'll see how it pans out - at
> least with mozilla we can plug the holes as they appear.

The XML-RPC support checked into Mozilla is an XML-RPC client, not
server. This means it only ever initiates calls, never responds to them.

In this sense it is doing no more than a Javascript POSTing to a form and
retrieving a response. Furthermore, it is not pervasive functionality.
It is an XPCOM class which must be instantiated by a script in order to
be used.

Additionally, I believe it is constrained to the general security model
of Mozilla, which will mean that it can only establish a network
connection back to the host that served it, if served from a network
host rather than the filesystem. (Although I'm not 100% clear on this as
I can't find this model explicitly documented at the moment.)

I regard the addition of this functionality as a great move for Mozilla,
so it is definitely worth us exploring all the security implications
up-front before it gets released.

-- Edd

This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS