Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt from Roy T. Fielding on 2003-03-13 (w3c-dist-auth@w3.org from January to March 2003)

From: Roy T. Fielding <fielding@apache.org>
Date: Thu, 13 Mar 2003 10:30:25 -0800
To: "Julian Reschke" <julian.reschke@gmx.de>
Cc: <w3c-dist-auth@w3.org>
Message-Id: <DBB1ECCA-5581-11D7-AB36-000393753936@apache.org>

> 6) Section 8.1.1 (use of XML)
>
> Replace
>
> "Some of the following new HTTP methods use XML as a request and 
> response
> format.  All DAV compliant clients and resources MUST use   XML 
> parsers that
> are compliant with [REC-XML].  All XML used in either requests or 
> responses
> MUST be, at minimum, well formed.  If a server receives ill-formed XML 
> in a
> request it MUST reject the entire request with a 400 (Bad Request)."
>
> by
>
> "Some of the following new HTTP methods use XML as a request and 
> response
> format.  All DAV compliant clients and resources MUST use   XML 
> parsers that
> are compliant with [REC-XML] and [REC-XML-NAMES].  All XML used in 
> either
> requests or responses MUST be, at minimum, well formed and
> namespace-well-formed.  If a server receives ill-formed XML in a 
> request it
> MUST reject the entire request with a 400 (Bad Request)."

Please note that use of an XML-compliant parser for an Internet protocol
will introduce a simple and well-known denial-of-service problem 
involving
recursive entity declarations.

....Roy

Received on Thursday, 13 March 2003 13:50:19 UTC