OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?

[ Lists Home | Date Index | Thread Index ]

Bullard, Claude L (Len) wrote:
> I don't get the question, Sterling.  That post was 
> about the inherent insecurities of script languages 
> inside content.  RSS is not an exception.

But isn't this more about server admins than possible problems with 
script in content?

How can their be problems if the script cannot be executed? If the 
script can be executed, then it is up to the server admin to lock down 
access to critical areas.

For example, I allow Velocity code, written by /untrusted/ users, to be 
executed on one of my servers. But java has a security manager that 
allows you to limit what the org.apache.velocity.runtime.parser.node 
package can do (i.e. grabbing a classloader and then having access to 
anything - System.exec...). How would I be vulnerable if there is 
nothing to process perl, JSP or what-have-you?

The problem is not with 'inherent insecurities of script languages 
inside content', it is with whoever maintains the server system. In 
other words, I think you are looking at the wrong culprit.

best,
-Rob




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS