OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] Interesting mailing list & a rare broadside

[ Lists Home | Date Index | Thread Index ]
  • To: "James Clark" <jjc@jclark.com>,<xml-dev@lists.xml.org>
  • Subject: RE: [xml-dev] Interesting mailing list & a rare broadside
  • From: "Dare Obasanjo" <dareo@microsoft.com>
  • Date: Fri, 7 Jun 2002 20:40:25 -0700
  • Thread-index: AcIOnWws7O594h/gTUWBLMclMSmDEgAAECfw
  • Thread-topic: [xml-dev] Interesting mailing list & a rare broadside

> -----Original Message-----
> From: James Clark [mailto:jjc@jclark.com] 
> Sent: Friday, June 07, 2002 8:35 PM
> To: Dare Obasanjo; xml-dev@lists.xml.org
> Subject: RE: [xml-dev] Interesting mailing list & a rare broadside
> So, are you saying that the answer to my question is 
> basically "no", since 
> there is always the possibility that the root element of the 
> instance will 
> use a namespace not in the schema cache?
> If that's so, although it's perfectly conformant, it seems 
> like a fairly 
> major potential security/robustness hole.  Suppose an 
> application is trying 
> to use validation to protect itself from bad input. It 
> carefully loads the 
> schema cache with the namespaces it knows about, and calls 
> validate().  Now 
> the bad guy comes along and uses a root element from some 
> other namespace 
> and uses xsi:schemaLocation to point to his own schema that 
> that has a 
> declaration for that element and uses <xs:any namespace="##any" 
> processContents="skip"/>.  Won't they just have almost completely 
> undermined any protection that was supposed to come from validation?

That is an interesting theoretical attack which I don't think anything
in the W3C XML Schema recommendation prevents. You bring up a good point
which I'll have to discuss with our resident W3C XML Schema folks when
they get in on Monday. 
The shortest distance between two points is under repair.

This posting is provided "AS IS" with no warranties, and confers no


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS