xml-dev - Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
From: Miles Sabin <miles@milessabin.com>
Date: Wed, 30 Oct 2002 11:47:40 +0000
In-reply-to: <020201c28008$9fc35eb0$4bc8a8c0@AlletteSystems.com>
References: <200210300905.44376.miles@milessabin.com> <200210301017.21556.miles@milessabin.com> <020201c28008$9fc35eb0$4bc8a8c0@AlletteSystems.com>

Rick Jelliffe wrote,
> > Sure, but isn't that tantamount to agreeing with,
> >
> >   Suggested fix:
> >    Most XML parsers allow their user to explicitly specify external
> >    entity handler. In case of untrusted XML input it is best to
> >    prohibit all external general entities.
> >
> > because your ACL will effectively be whitelisting your *trusted*
> > sources.
>
> ???  "It is best to prohibit" is not the same thing as "allow access
> control lists".

Read it carefully: "In case of *untrusted* XML input it is best ...". 
The qualifier is important.

To all intents and purposes a list which specifies trusted sources is an 
ACL.

Cheers,


Miles

Follow-Ups:
- Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: "Rick Jelliffe" <ricko@allette.com.au>

References:
- Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@milessabin.com>
- Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@milessabin.com>
- Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: "Rick Jelliffe" <ricko@allette.com.au>

Prev by Date: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by Date: Re: [xml-dev] Relative URLs using the file scheme?
Previous by thread: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by thread: Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack
Index(es):
- Date
- Thread