OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Excellent IETF BCP on XML

[ Lists Home | Date Index | Thread Index ]

Bullard, Claude L (Len) wrote,
> Yes, I have but I may be missing your point.

My apologies.

Partly it's just "Beware!".

But it's also a more specific concern about URIs as names. Where URIs 
are used as names there's an almost irresitable urge to attempt to 
dereference them. Where the target is expected to be machine 
processable there's a similarly irresistable urge to have software 
dereference them automatically ... and that's dangerous.

Worse is to move from a state where URIs as names _aren't_ expected to 
be usefully dereferencable to one where they _are_. Suppose you upgrade 
your underlying XML processor from a version which doesn't grok RDDL to 
one which does and which unbeknownst to you defaults to retrieval. Your 
application hasn't changed, but all of a sudden it's making unexpected 
outgoing network connections in response to incoming documents. This is 
likely to be a surprise, potentially a very unpleasant one.

> I am simply wondering how many other ways it can be exploited using
> the network if the AnythingImportantIsURINamed and Smart People
> Prepend HTTP philosophy is followed without understanding that these
> things are always/whereevertheyarefound dereferenceable.

As many ways as applications can have bugs and security holes ... IOW 
innumerable.

Cheers,


Miles




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS