[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dereferencing Namespace URIs considered harmful

From: Sean McGrath <sean@digitome.com>
To: xml-dev@lists.xml.org
Date: Mon, 01 Jan 2001 12:04:19 +0000

At 11:35 AM 1/1/01 +0000, John Wilson wrote:
>It would be worthwhile taking a little time to consider the possible
>security impact of encouraging XML processing software to dereference
>Namespace URIs as a matter of course.
>
>Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most
>web servers have well known vulnerabilities to various forms of malformed
>URL.

Any HTTP GET facility exposed to the outside world
can be abused.  Namespace URIs are no different. The issues
you raise are equally applicable to XML-RPC, SOAP (not
to mention DTDs at the end of URIs in XML 1.0).

I look forward to the day when this is a real issue :-). By which
I mean that for this to be an real problem, the semantic web will
be up and running:-)

For now, to paraphrase our resident song writer, I want
to read about the pizza myself in a Web browser window
by clicking on a link, not have a mozarella definition
automatically added to my bookmarks:-)

Sean McGrath

References:
- Dereferencing Namespace URIs considered harmful
  - From: John Wilson <tug@wilson.co.uk>

Prev by Date: Dereferencing Namespace URIs considered harmful
Next by Date: Re: XNRL
Previous by thread: Dereferencing Namespace URIs considered harmful
Next by thread: Traffic Analysis and Namespace Dereferencing
Index(es):
- Date
- Thread