[
Lists Home |
Date Index |
Thread Index
]
From: "Miles Sabin" <miles@milessabin.com>
> Rick Jelliffe wrote,
> > It strikes me that this puts the cart before the horse. The answer
> > is not to ban external entities, it is to allow access control lists
> > as part of entity managers or URL resolvers.
>
> Sure, but isn't that tantamount to agreeing with,
>
> Suggested fix:
> Most XML parsers allow their user to explicitly specify external
> entity handler. In case of untrusted XML input it is best to prohibit
> all external general entities.
>
> because your ACL will effectively be whitelisting your *trusted*
> sources.
??? "It is best to prohibit" is not the same thing as "allow access control lists".
The former bans a useful feature. The latter shows how the feature can be made safe.
No-one would say "Because http: allows access to any file, we should ban http:";
instead, we provide access control on our servers to limit access to what we
want to publish. I cannot see why it is any different for external entities or other links.
Cheers
Rick Jelliffe
|