W3C home > Mailing lists > Public > www-tag@w3.org > November 2002

Re: SOAP's prohibiting use of XML internal subset

From: Sanjiva Weerawarana <sanjiva@watson.ibm.com>
Date: Mon, 25 Nov 2002 23:16:58 -0500
Message-ID: <018d01c29502$aa608280$8400a8c0@lankabook2>
To: <www-tag@w3.org>

I was recently made aware of a DoS security risk with internal
entities .. if I recall correctly it went something like this:

- define entity x1 as "a"
- define entity x2 as &x1;&x1;
- define entity x3 as &x2;&x2;
- define entity x4 as &x3;&x3;
- ...

So it results in exponential growth .. resulting in potential
DoS attacks (or so my severly limited security knowledge tells me).

Sanjiva.

----- Original Message -----
From: "Paul Grosso" <pgrosso@arbortext.com>
To: <www-tag@w3.org>
Sent: Monday, November 25, 2002 5:55 PM
Subject: RE: SOAP's prohibiting use of XML internal subset


>
> [Deleting all extra mailing addresses--please do likewise!]
>
> At 23:24 2002 11 25 +0100, Julian Reschke wrote:
> >Automatic resolution of external entities clearly is a security risk --
so
> >there SHOULD be a way for XML based protocols to explicitly forbid this.
>
> External entities are not central to the current issue
> which is really about subsetting XML.
>
> Note that the "standalone" declaration [1] allows one to
> say that there are no references to external entities.
>
> Note that [2] is all about internal entities.
>
> paul
>
> [1] http://www.w3.org/TR/REC-xml#sec-rmd
> [2] http://www.w3.org/XML/Core/2002/10/charents-20021023
>
Received on Monday, 25 November 2002 23:19:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:13 GMT