OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

Rick Jelliffe wrote,
> > Sure, but isn't that tantamount to agreeing with,
> >
> >   Suggested fix:
> >    Most XML parsers allow their user to explicitly specify external
> >    entity handler. In case of untrusted XML input it is best to
> >    prohibit all external general entities.
> >
> > because your ACL will effectively be whitelisting your *trusted*
> > sources.
>
> ???  "It is best to prohibit" is not the same thing as "allow access
> control lists".

Read it carefully: "In case of *untrusted* XML input it is best ...". 
The qualifier is important.

To all intents and purposes a list which specifies trusted sources is an 
ACL.

Cheers,


Miles




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS