OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a ra

[ Lists Home | Date Index | Thread Index ]

Eric van der Vlist wrote,
> Miles Sabin wrote:
> > This is likely to be particularly so in server as opposed to client
> > applications: that a server designed to only _consume_ incoming
> > documents might be tricked into making outgoing requests to
> > arbitrary hosts is probably completely unexpected.
> Yes, that's a fascinating and frightening perspective, but isn't it
> the case also with any HTML document which can instruct a browser to
> do many outgoing requests to fetch images, stylesheets, scripts and
> other objects?

Yes it is, but it's now pretty widely understood that HTML (with or 
without embedded scripts or objects) can be dangerous on the client.

I don't think there's the same understanding of vulnerabilities on the 
server side: if you POST and HTML document to a server you wouldn't 
normally expect it to attempt to retrieve images or execute embedded 
scripts or objects. OTOH, with an XML POST to a validating XML 
processor, retrieval of referenced external enities is precisely what's 
going to happen in many cases.




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS