OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Excellent IETF BCP on XML

[ Lists Home | Date Index | Thread Index ]

Yes, I have but I may be missing your point. 
We've known about external entity retrieval 
problems since the SGML days.  They were a 
nuisance more than a threat then.   Somewhere way 
back when, this issue was brought up by 
Newcomb, myself, et al at the dawn of the 
webUberAlles era.   It is pretty obvious to 
anyone that thinks about linking.  Remember, 
the concept of linkbases is really really old. 
The wrinkle never seen before was using them 
for names too.  In olden times, one could 
use a PUBLIC name and it would be non-dereferenceable 
by design rather than by fiat.

I am simply wondering how many other ways it can 
be exploited using the network if the AnythingImportantIsURINamed 
and Smart People Prepend HTTP philosophy is 
followed without understanding that these things 
are always/whereevertheyarefound dereferenceable.

len

-----Original Message-----
From: Miles Sabin [mailto:miles@milessabin.com

Bullard, Claude L (Len) wrote,
> Yep.  However, since packets are sniffable?

Umm ... you've not been paying attention, have you ;-)

Other than the stuff David mentioned, the external entity attacks I 
disussed here,




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS