- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 14 Nov 2006 20:37:52 +0000
- To: "Michael(tm) Smith" <mikes@opera.com>
- CC: public-wsc-wg@w3.org
Michael(tm) Smith wrote: > Stephen Farrell <stephen.farrell@cs.tcd.ie>, 2006-11-14 19:28 +0000: > >> XPath and similar languages are effectively almost programming >> languages and can therefore potentially badly affect the end >> user. > > How, exactly? XPath itself is an just an addressing mechanism. > that can be used by other languages (such as XSLT). It's not, on > its own, a Turing-complete programming language as Javascript is. My (poor) understanding of it is that it can be made to loop and has variables, but perhaps that's only in conjunction with XSLT or something. > I know there are security considerations around XSLT, which has > a document() function and xsl:import and xsl:include elements > (which all can potentially enable an XSLT stylesheet to load a > document from an arbitrary URI). > >> In contrast with Java/Javascript these are less likely >> to have separate content types or browser settings/controls >> that the user can set and understand. > > True. There is no "Disable XPath" option in any browser that I > know of. I think there may not even be a "Disable XSLT" option in > any of the browser that have XSLT support. Right. So the possibly-just-about-relevant concern here would be that WSC does such a fine job on the lower-hanging fruit that bad actors move to (ab-)using these less well known "advanced" XML technologies. (I have a general concern that many of these XML technologies are being developed with no or few accompanying security considerations, but that's not a WSC thing.) >> I don't claim to know the answer, but the question relates to >> these examples of sort-of-active content - should WSC consider >> these in the same way as Java/Javascript or not? And either way, >> what's the boundary between passive and active content? (I >> assume we'll need some description of "active" content that >> users have to be more careful about.) >> >> These technologies may also be worth considering if we think >> of the user's machine a a DDoS attack vector. (Attack web >> server, modify content to include dodgy XPath expressions that >> attack someone. Innocent browsers rip away.) > > Can you give a specific example of a dodgy XPath expression and > how it might be used to do something malicious. Don't have details to hand but a student of mine demo'd an equivalent to "select * from *" against a sql DB last year, put the CPU to 100% for about 10 minutes and its not entirely clear how to defend against that in general. As I (don't really) understand it, basically most SQL problems can be re-created with XPath (maybe in conjunction with XSLT or something). There's also an infinite loop that was demonstrated against a few browsers but that is presumably now fixed. If you like I can retrieve the details tomorrow but I expect those are both searchable. Stephen.
Received on Tuesday, 14 November 2006 20:50:49 UTC