W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2003

RE: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 13 Mar 2003 20:39:36 +0100
To: "Roy T. Fielding" <fielding@apache.org>, "Julian Reschke" <julian.reschke@gmx.de>
Cc: <w3c-dist-auth@w3.org>
Message-ID: <JIEGINCHMLABHJBIGKBCCEBIGMAA.julian.reschke@gmx.de>

Roy,

known issue.

RFC2518bis specifically allows rejection  of requests using external
entities (this should take care of the "one million laughs" attach).

Julian


--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Roy T. Fielding
> Sent: Thursday, March 13, 2003 7:30 PM
> To: Julian Reschke
> Cc: w3c-dist-auth@w3.org
> Subject: Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt
>
>
>
> > 6) Section 8.1.1 (use of XML)
> >
> > Replace
> >
> > "Some of the following new HTTP methods use XML as a request and
> > response
> > format.  All DAV compliant clients and resources MUST use   XML
> > parsers that
> > are compliant with [REC-XML].  All XML used in either requests or
> > responses
> > MUST be, at minimum, well formed.  If a server receives ill-formed XML
> > in a
> > request it MUST reject the entire request with a 400 (Bad Request)."
> >
> > by
> >
> > "Some of the following new HTTP methods use XML as a request and
> > response
> > format.  All DAV compliant clients and resources MUST use   XML
> > parsers that
> > are compliant with [REC-XML] and [REC-XML-NAMES].  All XML used in
> > either
> > requests or responses MUST be, at minimum, well formed and
> > namespace-well-formed.  If a server receives ill-formed XML in a
> > request it
> > MUST reject the entire request with a 400 (Bad Request)."
>
> Please note that use of an XML-compliant parser for an Internet protocol
> will introduce a simple and well-known denial-of-service problem
> involving
> recursive entity declarations.
>
> ....Roy
>
Received on Thursday, 13 March 2003 14:39:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:03 GMT