[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] Entities can execute system level commands?
- From: "G. Ken Holman" <gkholman@CraneSoftwrights.com>
- To: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
- Date: Mon, 19 Jul 2010 09:16:21 -0400
At 2010-07-19 09:08 -0400, Costello, Roger L. wrote:
>Hi Folks,
>
>The RFC on XML Media Types (RFC2376) says this in the section on
>Security Considerations:
>
> XML entities contain
> information to be parsed and processed by the recipient's XML system.
> These entities may contain and such systems may permit explicit
> system level commands to be executed while processing the data. To
> the extent that an XML system will execute arbitrary command strings,
> recipients of XML entities may be at risk. In general, it may be
> possible to specify commands that perform unauthorized file
> operations ...
>
>Yikes!
>
>How can the use of an entity result in "explicit system level
>commands to be executed while processing the data"?
>
>For example, here is an XML document that contains an external
>entity reference:
>
><?xml version="1.0"?>
><!DOCTYPE BookCatalogue [
> <!ENTITY Book SYSTEM "Book.xml">
>]>
><BookCatalogue>
> &Book;
> <Book>
> <Title>Illusions The Adventures of a Reluctant
> Messiah</Title>
> <Author>Richard Bach</Author>
> <Date>1977</Date>
> <ISBN>0-440-34319-4</ISBN>
> <Publisher>Dell Publishing Co.</Publisher>
> </Book>
> <Book>
> <Title>The First and Last Freedom</Title>
> <Author>J. Krishnamurti</Author>
> <Date>1954</Date>
> <ISBN>0-06-064831-7</ISBN>
> <Publisher>Harper & Row</Publisher>
> </Book>
></BookCatalogue>
>
>How can this entity execute system level commands?
I can't see how your example would, but what about:
<!ENTITY Book SYSTEM "urn:X-mySystem:exec:MakeBookProcess">
... with an appropriate entity resolver, or:
<!ENTITY Book SYSTEM "http://www.othersystem/cgi/MakeBookProcess">
As with any sharp instrument you use it with care. Just don't have
an entity resolver that is so equipped. And, anyway, if your URI
points to another system, wouldn't the logic would be run on that
system and not on yours?
If you simply make reference to an XML file, you shouldn't have a problem.
And note that an external parsed general entity (as you have &Book;)
cannot point to a fragment with its own internal declaration
subset. If you use external parameter entities then they can have
their own external parameter entity references.
I hope this helps.
. . . . . . . . . . . Ken
--
XSLT/XQuery training: after http://XMLPrague.cz 2011-03-28/04-01
Vote for your XML training: http://www.CraneSoftwrights.com/x/i/
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/x/
G. Ken Holman mailto:gkholman@CraneSoftwrights.com
Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/x/bc
Legal business disclaimers: http://www.CraneSoftwrights.com/legal
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]