RE: A possible security issue with accept attributes

I believe this is a duplicate of your earlier comment
http://lists.w3.org/Archives/Public/www-xml-xinclude-comments/2003Nov/00
06.html, which is still on our active list, and will treat it as such if
that's OK with you.

Despite our comatose appearance at times, we are still making slow
progress, and expect to resolve your original comment, along with the
few other outstanding issues, at our meeting next week.

I think we've already adopted resolutions for all of your other
comments.  Thanks for your patience and your attention to detail!

> -----Original Message-----
> From: www-xml-xinclude-comments-request@w3.org
[mailto:www-xml-xinclude-
> comments-request@w3.org] On Behalf Of Elliotte Rusty Harold
> Sent: Thursday, February 26, 2004 1:17 PM
> To: www-xml-xinclude-comments@w3.org
> Subject: A possible security issue with accept attributes
> 
> 
> What should a processor do if the accept attributes contain values
> that are illegal ion an HTTP header? I'm not an exxpert on HTTP 1.1,
> so I'm not sure what can or cannot appear there (Are non-ASCII
> characters allowed?) but what about something like this:
> 
> <xi:include href="something.xml"
> accept="text/xml&#13;&#10;Another-Header: another value"/>
> 
> I'm sure the there are other ways to break the HTTP header or insert
> data that wasn't expected to be inserted. There may be security holes
> here.  A lot may depend on the underlying API used to communicate
> with the HTTP server.  Some libraries may perform sufficient sanity
> checking themselves that this is not a problem. However, others may
> not.
> 
> Should the XInclude specification put more restraints on what is
> allowed in these attributes? Or at the very least note the issue in
> specs as something implementers should be careful to think about?
> --
> 
>    Elliotte Rusty Harold
>    elharo@metalab.unc.edu
>    Effective XML (Addison-Wesley, 2003)
>    http://www.cafeconleche.org/books/effectivexml
> 
>
http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaula
it
> A

Received on Thursday, 26 February 2004 19:15:59 UTC