[
Lists Home |
Date Index |
Thread Index
]
On Thu, 19 Dec 2002 17:56:00 +0000, Bill de hÓra <bill.dehora@propylon.com>
wrote:
>
>
> I'm not asking for the feature to be removed, just make the default
> setting compliant with XML. If you don't want entities expanded, turn
> them off. Having to turn them on frankly breaks with the spirit of
> things.
>
Upon reflection, I guess I am very ambivalent, but tending toward being
convinced by the arguments here. The only compelling reasons for defaulting
to "no entities" that I can think of are a) the statistical likelihood that
external entities will cause problems; and b) the billion laughs DOS
attack. I have no idea if the latter was part of MS's design decision,
but http://online.securityfocus.com/archive/1/303509/2002-12-13/2002-12-
19/0 does suggest "If possible, disable DTD in the XML parser. This
requires raw access to the XML parser API, which is usually impossible for
Web Services applications." (Of course, a SOAP message shouldn't have a
DTD in the first place, but, ahem, "be liberal in what you consume" ...).
Still, on balance, the argument that "System.XML should play by the XML
rules rather than the SOAP rules, define a System.SOAP if you want to
expose the SOAP rules" is pretty persuasive. But I guess I don't think of
this as a black/white compliant/non-compliant issue, but just another one
of the shades-of-grey things we have to deal with. I'm frankly glad I
don't have to make the decision! Damned if you appear to be non-
compliant, double-damned if your customers get hit with some (accidental or
deliberate) performance hit from a recursive entity expansion scenario.
|
