OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a ra

[ Lists Home | Date Index | Thread Index ]

Bill de hÓra wrote,
> The notion of treating XML as active content is fascinating (and a
> bit scary). I wonder if you could set up a for loop for a DOS via
> an XSLT sheet?

An XSLT stylesheet has intended programmatic semantics (it's code, for 
all that it's sprinkled with angle brackets and declarative rather than 
imperative), so pretty clearly, IMO, it has to be treated as active 
content. A comparisons with PostScript might be in order here, and it's 
not news that untrusted PostScript documents can be dangerous.

The more worrying cases are documents which don't have any such intended 
semantics (ie. just dumb data), but get them willy nilly thanks to the 
implicit retrieval semantics of validation. My guess is that many, 
many, developers will assume that such things are just as safe as 
text/plain is typically taken to be, without anticipating the effects 
of validation.

This is likely to be particularly so in server as opposed to client 
applications: that a server designed to only _consume_ incoming 
documents might be tricked into making outgoing requests to arbitrary 
hosts is probably completely unexpected.




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS