W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2002

RE: WebDAV XML handling vs. external entities

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Wed, 19 Jun 2002 14:30:13 -0700
To: "Julian Reschke" <julian.reschke@gmx.de>, <w3c-dist-auth@w3c.org>
Message-ID: <AMEPKEBLDJJCCDEJHAMIGEPPEPAA.ejw@cse.ucsc.edu>

> there was recently an xml-dev thread about security problems allowing
> arbitrary XML in protocols (see for instance [1]).

This topic is also discussed in RFC 2518, in Section 17.7 (Implications of
XML External Entities).

> As WebDAV doesn't need resolution of external entities / DTD
> validation, I'd suggest to specfiy that servers and clients MUST NOT
> resolve external entities, that is, MUST reject any WebDAV protocol
> message that contains external entities.

In RFC 2518, we didn't go so far as to outlaw external entities, since (a)
it didn't seem that likely they would ever get shipped across the wire, and
(b) they might be useful for extensibility. But, after several years of
implementation, I don't know of any uses of XML external entities, so I'd be
fine with prohibiting them.

- Jim
Received on Wednesday, 19 June 2002 17:31:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:00 GMT