OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dereferencing Namespace URIs considered harmful

At 11:35 AM 1/1/01 +0000, John Wilson wrote:
>It would be worthwhile taking a little time to consider the possible
>security impact of encouraging XML processing software to dereference
>Namespace URIs as a matter of course.
>Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most
>web servers have well known vulnerabilities to various forms of malformed

Any HTTP GET facility exposed to the outside world
can be abused.  Namespace URIs are no different. The issues
you raise are equally applicable to XML-RPC, SOAP (not
to mention DTDs at the end of URIs in XML 1.0).

I look forward to the day when this is a real issue :-). By which
I mean that for this to be an real problem, the semantic web will
be up and running:-)

For now, to paraphrase our resident song writer, I want
to read about the pizza myself in a Web browser window
by clicking on a link, not have a mozarella definition
automatically added to my bookmarks:-)

Sean McGrath