[
Lists Home |
Date Index |
Thread Index
]
>On reflection, I think XInclude's security issues are really just a
>subset of those that browsers have with XSLT, or at least are solvable
>in the same way. XSLT allows you to fetch data from a local file
>using document("file:///whatever") and even allows you to pass out
>that information as part of a URL in another document() call.
You're right. That does sound like another security hole, and
possibly worse. It also had not occurred to me that you might
XInclude a file URL. That opens up some more holes.
>I checked what Mozilla does in this case, and it appears to refuse
>to fetch a file: URL from a document() call in a remote stylesheet.
Which raises the questions:
1. What does IE6 do?
2. What does Mozilla do when faced with an http URL in the document()
function that points to a host other than the document base?
The XSLT issue is potentially worse because you could use XSLT to
actually include the contents of the stolen XML document in the URL
you passed back to the hacker's server. It is somewhat (though far
from completely) mitigated by the fact that the document() function
can only point to well-formed XML documents so it can't steal
absolutely any file or URL.
--
+-----------------------+------------------------+-------------------+
| Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
+-----------------------+------------------------+-------------------+
| XML in a Nutshell, 2nd Edition (O'Reilly, 2002) |
| http://www.cafeconleche.org/books/xian2/ |
| http://www.amazon.com/exec/obidos/ISBN%3D0596002920/cafeaulaitA/ |
+----------------------------------+---------------------------------+
| Read Cafe au Lait for Java News: http://www.cafeaulait.org/ |
| Read Cafe con Leche for XML News: http://www.cafeconleche.org/ |
+----------------------------------+---------------------------------+
|