W3C home > Mailing lists > Public > www-xml-linking-comments@w3.org > July to September 2002

Mandatory dereferencing

From: Rich Salz <rsalz@datapower.com>
Date: Tue, 16 Jul 2002 14:07:04 -0400
Message-ID: <3D3460C8.1060001@datapower.com>
To: www-xml-linking-comments@w3.org

A posting on the xml-dev list mentioned that an XPointer client is 
required to send a schemaLocation URL, and that the XPointer server is 
required to deference and process it.

If this is true, I have strong concerns about the security implications 
of this. For example, a client can send a URL that it does not have read 
access to. One interesting possibility would be to send 
"file:///etc/passwd" and parse the faults the server sends back, in an 
attempt to glean account information from the error messages.  A client 
could also send -- through programming error or deliberate misuse -- a 
URL that the server has no access to.  This would lead to confusion and 
possible denial of service attacks.  For example, imagine the client 
sending "https" URL's to a deliberately slow server, thereby slowing 
down the XPointer server to an unacceptable level.

As a general rule, without a rich security framework in place (i.e., one 
that supports delegation and/or impersonation), it is always risky for 
one agent to give another a pointer to a reference that must be resolved 
by the second. Better practice is for the first to send along all 
relevant data in one go.

If, however, the note in xml-dev (or my understanding of it) is wrong, 
please ignore this message. :)

Thank you.
	/r$
Received on Tuesday, 16 July 2002 14:07:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:44 GMT