W3C home > Mailing lists > Public > xmlschema-dev@w3.org > July 2005

XSV potential issue

From: Cory Virok <cory@dolphtech.com>
Date: Thu, 14 Jul 2005 09:56:23 -0400
Message-ID: <42D66F07.8050206@dolphtech.com>
To: xmlschema-dev@w3.org

To whom it may concern,

I was using the XSV utility today, 
(http://www.w3.org/2001/03/webdata/xsv works great! thanks) and saw that 
there was no problems in importing any file on the server within my schema.

Ex: try validating this:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:blah="ns" 
elementFormDefault="qualified" attributeFormDefault="unqualified">
    <xs:import namespace="blah" schemaLocation="/etc/passwd"/>
</xs:schema>

You'll get errors, of course since /etc/passwd is not valid XML, but the 
fact that the XSV server has access to it is a potential danger.

Thought you might like to know,
- Cory Virok
Received on Friday, 15 July 2005 04:03:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 11 January 2011 00:14:50 GMT