- From: Cantor, Scott <cantor.2@osu.edu>
- Date: Mon, 8 Jun 2015 17:40:36 +0000
- To: Juan Carlos Cruellas <cruellas@ac.upc.edu>, Hal Lockhart <hal.lockhart@oracle.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
On 6/8/15, 1:06 PM, "Juan Carlos Cruellas" <cruellas@ac.upc.edu> wrote: >Thanks for this Scott and Hal, > >I see your point...however, I tend to think that there is no point in >having a driver file that points to nowhere, and IMHO this should be >changed to point to the right place: as it is now it is basically >making a wrong statement. That's clearly a bug, I was commenting more to the other issue. Imports in schemas with locations are essentially inherent security bugs waiting to happen. I wish XSD had required catalogs outright from the start. >then implementers could store them wherever they want....or do >you think that doing that this could bring some security issue for >implementers that once downloaded the right xml schema files just make >use of these locally stored files? I know they will. They do. Real live software sold for thousands of dollars will remotely fetch schemas at runtime. -- Scott
Received on Monday, 8 June 2015 17:41:10 UTC