W3C home > Mailing lists > Public > www-tag@w3.org > October 2002

Re: Possible issue: XXE (Xml eXternal Entity) attack

From: Miles Sabin <miles@milessabin.com>
Date: Wed, 30 Oct 2002 20:51:57 +0000
To: www-tag@w3.org
Message-Id: <200210302051.57470.miles@milessabin.com>

Chris Lilley wrote,
> How is that different from html pages that link to external images
> that the browser may be 'coerced' to open?

It's the same problem, but in a different context. That on it's own is 
enough to cause problems.

The awkward thing is that the mantra "always validate inputs from 
untrusted sources" actually hurts here because someone might naively 
assume that this means that untrusted XML inputs should be validated in 
the sense of the XML REC ... but in at least some cases the very act of 
attempting validation will trigger the dangerous behaviour, eg. 
retrieving an uncached DTD external subset.

So it's not a new problem, and the solutions are obvious to anyone who 
understands it. But for all that I'm sure people will make mistakes and 
they'll be exploited. I think it would be a good idea that if the 
Architectural Principles doc is going to highlight a principle that 
states,

  Representation retrieval is safe: Agents do not incur obligations by
  retrieving a representation.

it should qualify that by pointing out that "safe" is being used here in 
the sense of RFC 2616 rather than in any more general sense, and that 
even if agent don't incur any obligations they might still get burnt.

Cheers,


Miles
Received on Wednesday, 30 October 2002 15:52:29 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:34 UTC