Lists Home |
Date Index |
Bullard, Claude L (Len) wrote,
> Yes, I have but I may be missing your point.
Partly it's just "Beware!".
But it's also a more specific concern about URIs as names. Where URIs
are used as names there's an almost irresitable urge to attempt to
dereference them. Where the target is expected to be machine
processable there's a similarly irresistable urge to have software
dereference them automatically ... and that's dangerous.
Worse is to move from a state where URIs as names _aren't_ expected to
be usefully dereferencable to one where they _are_. Suppose you upgrade
your underlying XML processor from a version which doesn't grok RDDL to
one which does and which unbeknownst to you defaults to retrieval. Your
application hasn't changed, but all of a sudden it's making unexpected
outgoing network connections in response to incoming documents. This is
likely to be a surprise, potentially a very unpleasant one.
> I am simply wondering how many other ways it can be exploited using
> the network if the AnythingImportantIsURINamed and Smart People
> Prepend HTTP philosophy is followed without understanding that these
> things are always/whereevertheyarefound dereferenceable.
As many ways as applications can have bugs and security holes ... IOW