W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2003

Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt

From: Roy T. Fielding <fielding@apache.org>
Date: Thu, 13 Mar 2003 10:30:25 -0800
Cc: <w3c-dist-auth@w3.org>
To: "Julian Reschke" <julian.reschke@gmx.de>
Message-Id: <DBB1ECCA-5581-11D7-AB36-000393753936@apache.org>

> 6) Section 8.1.1 (use of XML)
>
> Replace
>
> "Some of the following new HTTP methods use XML as a request and 
> response
> format.  All DAV compliant clients and resources MUST use   XML 
> parsers that
> are compliant with [REC-XML].  All XML used in either requests or 
> responses
> MUST be, at minimum, well formed.  If a server receives ill-formed XML 
> in a
> request it MUST reject the entire request with a 400 (Bad Request)."
>
> by
>
> "Some of the following new HTTP methods use XML as a request and 
> response
> format.  All DAV compliant clients and resources MUST use   XML 
> parsers that
> are compliant with [REC-XML] and [REC-XML-NAMES].  All XML used in 
> either
> requests or responses MUST be, at minimum, well formed and
> namespace-well-formed.  If a server receives ill-formed XML in a 
> request it
> MUST reject the entire request with a 400 (Bad Request)."

Please note that use of an XML-compliant parser for an Internet protocol
will introduce a simple and well-known denial-of-service problem 
involving
recursive entity declarations.

....Roy
Received on Thursday, 13 March 2003 13:50:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:03 GMT