W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2003

RE: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 13 Mar 2003 22:05:30 +0100
To: "Roy T. Fielding" <fielding@apache.org>, "Julian Reschke" <julian.reschke@gmx.de>
Cc: <w3c-dist-auth@w3.org>
Message-ID: <JIEGINCHMLABHJBIGKBCEEBNGMAA.julian.reschke@gmx.de>

> From: Roy T. Fielding [mailto:fielding@apache.org]
> Sent: Thursday, March 13, 2003 8:52 PM
> To: Julian Reschke
> Cc: w3c-dist-auth@w3.org
> Subject: Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt
>
>
> > known issue.
>
> Good, but that sentence you quoted contradicts it.  XML doesn't
> allow subsetting.

Do you have a proposal how we can refer to the specs, and still allow
subsetting (allowing rejection of internal entities)?

> > RFC2518bis specifically allows rejection  of requests using external
> > entities (this should take care of the "one million laughs" attach).
>
> Recursive entity declarations are internal entities.  :(

Indeed.

So I must take back what I said: the problem is known but has *not* been
considered yet in the draft.

Jason, Lisa: we badly need to add this to the issues list and fix it in the
next draft.

(the issue being: recursive entity declarations can be used for effective
DOS attacks, and thus WebDAV MUST allow servers to reject these kind of
requests, even though they may be well-formed).

Julian


--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
Received on Thursday, 13 March 2003 16:05:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:03 GMT