Lists Home |
Date Index |
Paul Prescod wrote,
> Miles Sabin wrote:
> > But my point still stands. It isn't just clients executing
> > retrieved "active" content that represents a risk: flaws in the
> > clients implementation of the base protocol can be just as
> > dangerous.
> True, but true also of any other protocol all the way down to IP or
Agreed ... tho' by and large the lower down the stack you go, the more
mature the code, so the less likelihood (nb. only less _likelihood_)
there is of undiscovered flaws.
> Let's just say that HTTP GET is as safe as it is possible for a
> network operation to be.
You can only say that relative to a particular implementation.
I think we're all used to the idea that servers have to be coded
defensively. And we're all aware that interactive clients which execute
active content need to be coded defensively too. But servers which also
act as non-interactive clients are less commonplace, and to the extent
that they're thought about at all, there might be a temptation to
assume that because they don't typically execute active content
automatically they're relatively safe. I don't think that's a safe
assumption, and the wget vulnerability illustrates why it isn't.
> > So how much do you trust the implementations of the network clients
> > you use? Do you trust them enough to have a process feed them
> > arbitrary URIs for dereferencing while left unattended?
> Google and Alta Vista do, with no apparent ill effects.
I would hope that Google and Altavista audit their, presumably custom,
network client implementations thoroughly and continuously given how
central unattended clients are to their business.
I'm less hopeful that others will be as scrupulous as necessary ...
particularly if they're unware, or only hazily aware, that they're
operating unattended network clients at all. That's why I'm so
excitable about off the shelf XML parsers which default to
dereferencing external entities, and proposals which might encourage
the dereferencing of URIs which weren't previously thought of as
typically being usefully dereferencable non-interactively (ie.