xml-dev - Re: [xml-dev] SAX characters event and external entities

Re: [xml-dev] SAX characters event and external entities

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] SAX characters event and external entities
From: Richard Tobin <richard@cogsci.ed.ac.uk>
Date: Wed, 5 Mar 2003 23:27:13 GMT
Cc:
In-reply-to: <15973.22900.234172.936044@megginson.com>
Organization: HCRC, University of Edinburgh

>Here's an easy attack -- send you a start tag, then just keep sending
>random alphanumeric characters until your system chokes.  An arbitrary
>limit -- even a very high one, like a few gigabytes -- would be useful.

This seems like the wrong level to deal with it.  If your worry is
memory use, limit memory use, not the length of element names.  Either
use the operating system's facilities for limiting memory, or have a
special purpose allocator.  (Or is that too difficult in languages like
Java?)

I had to address this in my on-line validator, and did it by using
unix's memory and cpu time limits.

-- Richard

References:
- Re: [xml-dev] SAX characters event and external entities
  - From: David Megginson <david@megginson.com>

Prev by Date: Re: [xml-dev] SAX characters event and external entities
Next by Date: Re: [xml-dev] Life as an SGML Neanderthal (WAS RE: [xml-dev] The subsetting has begun)
Previous by thread: Re: [xml-dev] SAX characters event and external entities
Next by thread: re: [xml-dev] SAX characters event and external entities
Index(es):
- Date
- Thread