OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Seen on BugTraq: XXE (Xml eXternal Entity) attack

[ Lists Home | Date Index | Thread Index ]

From: "Miles Sabin" <miles@milessabin.com>

 > Read it carefully: "In case of *untrusted* XML input it is best ...". 
> The qualifier is important.
> To all intents and purposes a list which specifies trusted sources is an 
> ACL.

Miles' ACLs say "These document are trusted, so they can access any entities".
It is a list (simplification) of documents that can make references.

My ACLs say "These entities can be accessed by any document".
It is a list (simplification) of documents that can be referred to, enforced
by a parser's entity manager.

Not the same thing at all, though certainly there may be scope for both.
I don't see how Miles' ACLs prevent the attacks suggested.  (But I don't
deny that different levels of security are appropriate for different levels
of danger!)

Rick Jelliffe


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS