OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Interesting mailing list & a rare broadside

[ Lists Home | Date Index | Thread Index ]

> > If that's so, although it's perfectly conformant, it seems 
> > like a fairly 
> > major potential security/robustness hole.  Suppose an 
> > application is trying 
> > to use validation to protect itself from bad input. It 
> > carefully loads the 
> > schema cache with the namespaces it knows about, and calls 
> > validate().  Now 
> > the bad guy comes along and uses a root element from some 
> > other namespace 
> > and uses xsi:schemaLocation to point to his own schema that 
> > that has a 
> > declaration for that element and uses <xs:any namespace="##any" 
> > processContents="skip"/>.  Won't they just have almost completely 
> > undermined any protection that was supposed to come from validation?
> 
> That is an interesting theoretical attack which I don't think anything
> in the W3C XML Schema recommendation prevents. You bring up a good point
> which I'll have to discuss with our resident W3C XML Schema folks when
> they get in on Monday. 
>  

Xerces follows the same approach as MS. Quoting from
http://xml.apache.org/xerces2-j/properties.html for general
property http://apache.org/xml/properties/schema/external-schemaLocation,

"This property allows the user to specify a list of schemas to use. If the 
targetNamespace of a schema (specified using this property) matches the 
targetNamespace of a schema occurring in the instance document in 
schemaLocation attribute, or if the targetNamespace matches the namespace 
attribute of <import> element, the schema specified by the user using this 
property will be used (i.e., the schemaLocation attribute in the instance 
document or on the <import> element will be effectively ignored)."

It would appear to be susceptible to the same attack as described above.

Regards
Michael








 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS