OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: SOAP, plague, love

[ Lists Home | Date Index | Thread Index ]
  • From: Martijn Pieters <mj@digicool.com>
  • To: Edd Dumbill <edd@usefulinc.com>
  • Date: Mon, 8 May 2000 16:31:34 +0200

On Sat, May 06, 2000 at 02:51:42PM +0100, Edd Dumbill wrote:
> On Fri, May 05, 2000 at 09:45:01PM +0100, Matt Sergeant wrote:
> > I was actually going to post something about this on mozillazine.org,
> > since mozilla has just incorporated XML-RPC. I'm seriously worried about
> > potential security holes there. I guess we'll see how it pans out - at
> > least with mozilla we can plug the holes as they appear.
> The XML-RPC support checked into Mozilla is an XML-RPC client, not
> server. This means it only ever initiates calls, never responds to them.
> In this sense it is doing no more than a Javascript POSTing to a form and
> retrieving a response. Furthermore, it is not pervasive functionality.
> It is an XPCOM class which must be instantiated by a script in order to
> be used.
> Additionally, I believe it is constrained to the general security model
> of Mozilla, which will mean that it can only establish a network
> connection back to the host that served it, if served from a network
> host rather than the filesystem. (Although I'm not 100% clear on this as
> I can't find this model explicitly documented at the moment.)
> I regard the addition of this functionality as a great move for Mozilla,
> so it is definitely worth us exploring all the security implications
> up-front before it gets released.

Thanks Edd, for including me here. I had a look over this thread and I think
the concern is that XML-RPC could be used to export sensitive information
without the user knowing this.

The Mozilla XML-RPC client is a XPCOM component, and is portected by the same
security mesurements as all other XPCOM components reachable through
XPConnect. This currently means that explicit permission is to be requested
from the user if a javascript (be it local or remote) wants to have access to
such a component. Only so-called chrome packages (user interfaces described in
XML, built using javascript and CSS) have unlimited access.

This security messure is very course, either the script gets no access to
XPConnect at all, or gets full access. XPConnect not only will allow such a
script to do XML-RPC, but it then can also access files on the harddisk, or
create it's own socket based connections outgoing from the users machine. I
believe that this is intended to become more finegrained in future revisions.

The XML-RPC component is _not_ limited in what machines it can access. This
restiction only applies to Java, IIRC (I am not an authority on Mozilla
security, don't quote me on any of this!). But, as Edd points out, XML-RPC is
nothing more than a polished up POST back to the server, with a structured
reply. I could also create a hidden frame, use DOM to create a HTML FORM, and
submit that form to any server on the internet. This latter functionality
isn't protected by any security constraints, and shouldn't be either.

Martijn Pieters
| Software Engineer    mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope       http://www.zope.org/
|   The Open Source Web Application Server

This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS