xml-dev - Re: [xml-dev] Extra headaches of securing XML

Re: [xml-dev] Extra headaches of securing XML

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] Extra headaches of securing XML
From: Gregory Murphy <Gregory.Murphy@eng.sun.com>
Date: Tue, 30 Mar 2004 11:13:19 -0800 (PST)
In-reply-to: <4069B802.9050302@datapower.com>

On Tue, 30 Mar 2004, Rich Salz wrote:

> > and I'd bet a zillion bucks that there are awful vulnerabilities lurking 
> > in the cracks where nobody could possibly have thought to look.  -Tim
> 
> There are some that are inherent in XML itself: entities for example, 
> and the fact that there are no size limits (element name with 1e6 
> characters, or 1e6 attributes, or a document 1e6 elements deep). This 
> makes XML inherently more "dangerous" than classic binary formats like 
> ASN.1/DER.

Maybe SGML would be more secure? Hard limits on element name sizes and
attribute counts could be enforced in the SGML declaration.

// Gregory Murphy.  Isopaleocopria.

References:
- Re: [xml-dev] Extra headaches of securing XML
  - From: Rich Salz <rsalz@datapower.com>

Prev by Date: Re: [xml-dev] xml databases
Next by Date: RE: [xml-dev] Extra headaches of securing XML
Previous by thread: Re: [xml-dev] Extra headaches of securing XML
Next by thread: RE: [xml-dev] Extra headaches of securing XML
Index(es):
- Date
- Thread