XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Entities can execute system level commands?

On 19/07/2010 14:08, Costello, Roger L. wrote:
 > How can the use of an entity result


saying an xml file may contain system commands that may be executed is 
like saying an ascii file might contain commands.

It all depends what the xml is, if it is xslt or ant or ... then more or 
less by definition it contains commands that may be executed, and 
executing commands you have obtained from elsewhere has obvious security 
implications, which is why it is mentioned in that section.


Note by the way that when the mime specs talk of "entity" they mean what 
xml calls a document (or external parsed entity). so you don't need to 
give an example using  <!ENTITY it's not talking about xml entity 
references.


as noted in the rfc that you cite:

   (Note that, as sometimes happens between two communities, both MIME
    and XML have defined the term entity, with different meanings.)


David

________________________________________________________________________
The Numerical Algorithms Group Ltd is a company registered in England
and Wales with company number 1249803. The registered office is:
Wilkinson House, Jordan Hill Road, Oxford OX2 8DR, United Kingdom.

This e-mail has been scanned for all viruses by Star. The service is
powered by MessageLabs. 
________________________________________________________________________


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS