OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Excellent IETF BCP on XML

[ Lists Home | Date Index | Thread Index ]

Paul Prescod wrote,
> Miles Sabin wrote:
> > Apparently not ...
> >
> >   http://www.kb.cert.org/vuls/id/210148
> Interesting.
> But note that there is a difference between downloading URIs and
> dereferencing them. Dare was talking about dereferencing and piping
> to less. The data never touches the file system (under any name).

In this case that's probably true ... in fact, I think the vulnerability 
only affects multiple gets, where the client first retrieves then 
blindly trusts a list of names from the server.

But my point still stands. It isn't just clients executing retrieved 
"active" content that represents a risk: flaws in the clients 
implementation of the base protocol can be just as dangerous. Even tho' 
_this_particular_ wget vulnerability probably wouldn't be tripped in 
the kind of scenarios that Tim was talking about, it's only a whisker 
away from something that _would_ be dangerous.

So how much do you trust the implementations of the network clients you 
use? Do you trust them enough to have a process feed them arbitrary 
URIs for dereferencing while left unattended?




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS