W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2002

RE: WebDAV XML handling vs. external entities

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 19 Jun 2002 23:43:25 +0200
To: "Jim Whitehead" <ejw@cse.ucsc.edu>, "Julian Reschke" <julian.reschke@gmx.de>, <w3c-dist-auth@w3c.org>
Message-ID: <JIEGINCHMLABHJBIGKBCMEMNEMAA.julian.reschke@gmx.de>

> From: Jim Whitehead [mailto:ejw@cse.ucsc.edu]
> Sent: Wednesday, June 19, 2002 11:30 PM
> To: Julian Reschke; w3c-dist-auth@w3c.org
> Subject: RE: WebDAV XML handling vs. external entities
>
>
> > there was recently an xml-dev thread about security problems allowing
> > arbitrary XML in protocols (see for instance [1]).
>
> This topic is also discussed in RFC 2518, in Section 17.7 (Implications of
> XML External Entities).

Indeed. Missed that part :-)

> > As WebDAV doesn't need resolution of external entities / DTD
> > validation, I'd suggest to specfiy that servers and clients MUST NOT
> > resolve external entities, that is, MUST reject any WebDAV protocol
> > message that contains external entities.
>
> In RFC 2518, we didn't go so far as to outlaw external entities, since (a)
> it didn't seem that likely they would ever get shipped across the
> wire, and
> (b) they might be useful for extensibility. But, after several years of
> implementation, I don't know of any uses of XML external
> entities, so I'd be
> fine with prohibiting them.

It think we should clarify. Right now, existing servers seem to either
ignore the external entitiy (mod_dav) or report an error (IIS). I think the
former is wrong because it means that part of the request wasn't parsed, so
the request shouldn't be executed. For the sake of clarity, I think it would
be a good thing to recommend that servers should fail the request.

Julian
Received on Wednesday, 19 June 2002 17:43:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:00 GMT