[Rich Salz <rsalz@datapower.com>] Re: [xml-dev] XPointer and XML Schema

Forwarded message 1

  • From: Rich Salz <rsalz@datapower.com>
  • Date: Mon, 15 Jul 2002 23:03:39 -0400 (EDT)
  • Subject: Re: [xml-dev] XPointer and XML Schema
  • To: Jeff Rafter <jeffrafter@defined.net>
  • cc: <xml-dev@lists.xml.org>
  • Message-ID: <Pine.LNX.4.33.0207152302020.11314-100000@eagle.datapower.com>
> >    3. Make the schemalocation hint manditory to provide, and manditory to
> > dereference for Schema-Loading, WRT XPointer.
> 
> This option really scares me!

Me too, but for security reasons.  Mandatory to deref means that I as the 
client can force a server to go open a file of my choosing. That's scary. 
Suppose I send the server schemaLocation="file:///etc/passwd" -- I could 
probably guess some account names from the helpful fault information that 
comes back.
	/r$



-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
initiative of OASIS <http://www.oasis-open.org>

The list archives are at http://lists.xml.org/archives/xml-dev/

To subscribe or unsubscribe from this list use the subscription
manager: <http://lists.xml.org/ob/adm.pl>
-- 
  Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
          W3C Fellow 1999--2002, part-time member of W3C Team
     2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
	    Fax: (44) 131 650-4587, e-mail: ht@cogsci.ed.ac.uk
		     URL: http://www.ltg.ed.ac.uk/~ht/
 [mail really from me _always_ has this .sig -- mail without it is forged spam]

Received on Wednesday, 17 July 2002 09:17:13 UTC