Lists Home |
Date Index |
On Mon, Nov 22, 2004 at 11:52:09PM +0200, Oleg Tkachenko wrote:
> Liam Quin wrote:
> >One can do validation in the writer and then plausibly skip the sort of
> >checks you mention in a reader, and still be talking about XML, even
> >with today's textual interchange formats.
> I believe that would be a disaster from security's "all input is evil"
> point of view.
I didn't say to skip _all_ checks!!! Nor in fact do I think it's a
good thing. A better way is to design a format in which such checks
are not needed because the format can't represent the error conditions
which Derek mentioned. Doing that generally requires a schema-aware
connection (or at least DTD-aware).
In practice I doubt that checking for duplicated attribute values is
often a significant CPU expense but I haven't ever measured.
The trick here would be to design the next layer up (the application) to
be robust in the face of such errors, and to design the unbinarification
layer to deliver the input robustly. This is an issue for all
processing, whether of data generated internally within a program or
externally and read as input. Part of the trick to getting it right lies
in identifying the boundaries correctly, but there's no single right
answer to writing secure and/or robust systems, and relaxing constraints
on the input data shouldn't be the deciding factor.
Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/