OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: XML Schemas: Best Practices





-----Original Message-----
From: Arnold, Curt 
Sent: Tuesday, January 16, 2001 5:41 PM
To: 'Roger L. Costello'
Subject: RE: XML Schemas: Best Practices


One imported dimension that must be considered is whether retrieval of potentially hostile schema resources is required for extensibility.  Basically, it would be pretty easy to write schemas that
exploited holes in schema processors to do denial of service type attacks.  Most production systems would only trust schema resources that were predetermined as being safe and would depend on cached
versions of those resources.  If you went to XTech 2000, basically the same idea of David Megginson's, "When XML turns Ugly" presentation (http://www.megginson.com/ugly/index.html)

If you require retrieving schema resources to perform extension, then you are limiting those with the ability to extend the schema to those well-known and trusted organizations and even then you
wouldn't do it dynamically in case someone broke into the MIT offices that host the W3C servers.  That is, a W3C schema that used those methods could not be extended by Example, Inc, if it depended on
loading a schema resource from http://www.example.com .

>         <Book xsi:type="BookTypePlusReviewer">
...
>              <Reviewer>Roger Costello</Reviewer>
>         </Book>
> 

If the schema processor can't retrieve or doesn't trust the schema resource for BookTypePlusReviewer (I assume that you meant it to be in a different namespace so it could be in a different schema
from the base Book definition), it can't verify that costello:BookTypePlusReviewer is derived from BookType and would have to reject the document.

Using <any processContents="lax"/> or similar allow you to accept documents with subsections that you don't have (or don't trust) the schema resources.  Type substitution requires that you do trust.

I can't really fully respond at this time, more to follow tomorrow.