W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

[Bug 11] Protection against XML Denial Of Service attacks

From: <bugzilla@soe.ucsc.edu>
Date: Fri, 9 Dec 2005 03:19:59 -0800
Message-Id: <200512091119.jB9BJxeO004597@ietf.cse.ucsc.edu>
To: w3c-dist-auth@w3.org

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11

julian.reschke@greenbytes.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |



------- Additional Comments From julian.reschke@greenbytes.de  2005-12-09 03:19 -------
I found a minor problem with the language I proposed: the attack is not based on
recursively defined internal entities, but on *nested* internal entities. Please
update paragraph to:

   Furthermore, there's also a risk based on the evaluation of "internal
   entities" as defined in section 4.2.2 of [XML].  A small, carefully
   crafted request using nested internal entities may require enormous
   amounts of memory and/or processing time to process.  Server
   implementors should be aware of this risk and configure their XML
   parsers so that requests like these can be detected and rejected as
   early as possible.





------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Friday, 9 December 2005 11:20:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT