[
Lists Home |
Date Index |
Thread Index
]
From: "Miles Sabin" <miles@milessabin.com>
> Read it carefully: "In case of *untrusted* XML input it is best ...".
> The qualifier is important.
>
> To all intents and purposes a list which specifies trusted sources is an
> ACL.
Miles' ACLs say "These document are trusted, so they can access any entities".
It is a list (simplification) of documents that can make references.
My ACLs say "These entities can be accessed by any document".
It is a list (simplification) of documents that can be referred to, enforced
by a parser's entity manager.
Not the same thing at all, though certainly there may be scope for both.
I don't see how Miles' ACLs prevent the attacks suggested. (But I don't
deny that different levels of security are appropriate for different levels
of danger!)
Cheers
Rick Jelliffe
|