OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

From: "Miles Sabin" <miles@milessabin.com>

> Rick Jelliffe wrote,
> > It strikes me that this puts the cart before the horse.  The answer
> > is not to ban external entities, it is to allow access control lists
> > as part of entity managers or URL resolvers.
> 
> Sure, but isn't that tantamount to agreeing with,
> 
>   Suggested fix:
>    Most XML parsers allow their user to explicitly specify external
>    entity handler. In case of untrusted XML input it is best to prohibit
>    all external general entities.
> 
> because your ACL will effectively be whitelisting your *trusted* 
> sources.

???  "It is best to prohibit" is not the same thing as "allow access control lists".

The former bans a useful feature. The latter shows how the feature can be made safe.

No-one would say "Because http: allows access to any file, we should ban http:";
instead, we provide access control on our servers to limit access to what we
want to publish.  I cannot see why it is any different for external entities or other links.

Cheers
Rick Jelliffe




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS