[
Lists Home |
Date Index |
Thread Index
]
> > If that's so, although it's perfectly conformant, it seems
> > like a fairly
> > major potential security/robustness hole. Suppose an
> > application is trying
> > to use validation to protect itself from bad input. It
> > carefully loads the
> > schema cache with the namespaces it knows about, and calls
> > validate(). Now
> > the bad guy comes along and uses a root element from some
> > other namespace
> > and uses xsi:schemaLocation to point to his own schema that
> > that has a
> > declaration for that element and uses <xs:any namespace="##any"
> > processContents="skip"/>. Won't they just have almost completely
> > undermined any protection that was supposed to come from validation?
>
> That is an interesting theoretical attack which I don't think anything
> in the W3C XML Schema recommendation prevents. You bring up a good point
> which I'll have to discuss with our resident W3C XML Schema folks when
> they get in on Monday.
>
Xerces follows the same approach as MS. Quoting from
http://xml.apache.org/xerces2-j/properties.html for general
property http://apache.org/xml/properties/schema/external-schemaLocation,
"This property allows the user to specify a list of schemas to use. If the
targetNamespace of a schema (specified using this property) matches the
targetNamespace of a schema occurring in the instance document in
schemaLocation attribute, or if the targetNamespace matches the namespace
attribute of <import> element, the schema specified by the user using this
property will be used (i.e., the schemaLocation attribute in the instance
document or on the <import> element will be effectively ignored)."
It would appear to be susceptible to the same attack as described above.
Regards
Michael
|