[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] Entities can execute system level commands?
- From: David Carlisle <davidc@nag.co.uk>
- To: "Costello, Roger L." <costello@mitre.org>
- Date: Mon, 19 Jul 2010 14:20:19 +0100
On 19/07/2010 14:08, Costello, Roger L. wrote:
> How can the use of an entity result
saying an xml file may contain system commands that may be executed is
like saying an ascii file might contain commands.
It all depends what the xml is, if it is xslt or ant or ... then more or
less by definition it contains commands that may be executed, and
executing commands you have obtained from elsewhere has obvious security
implications, which is why it is mentioned in that section.
Note by the way that when the mime specs talk of "entity" they mean what
xml calls a document (or external parsed entity). so you don't need to
give an example using <!ENTITY it's not talking about xml entity
references.
as noted in the rfc that you cite:
(Note that, as sometimes happens between two communities, both MIME
and XML have defined the term entity, with different meanings.)
David
________________________________________________________________________
The Numerical Algorithms Group Ltd is a company registered in England
and Wales with company number 1249803. The registered office is:
Wilkinson House, Jordan Hill Road, Oxford OX2 8DR, United Kingdom.
This e-mail has been scanned for all viruses by Star. The service is
powered by MessageLabs.
________________________________________________________________________
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]