XSV potential issue from Cory Virok on 2005-07-14 (xmlschema-dev@w3.org from July 2005)

From: Cory Virok <cory@dolphtech.com>
Date: Thu, 14 Jul 2005 09:56:23 -0400
To: xmlschema-dev@w3.org
Message-ID: <42D66F07.8050206@dolphtech.com>

To whom it may concern,

I was using the XSV utility today, 
(http://www.w3.org/2001/03/webdata/xsv works great! thanks) and saw that 
there was no problems in importing any file on the server within my schema.

Ex: try validating this:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:blah="ns" 
elementFormDefault="qualified" attributeFormDefault="unqualified">
    <xs:import namespace="blah" schemaLocation="/etc/passwd"/>
</xs:schema>

You'll get errors, of course since /etc/passwd is not valid XML, but the 
fact that the XSV server has access to it is a potential danger.

Thought you might like to know,
- Cory Virok

Received on Friday, 15 July 2005 04:03:08 UTC