- From: Norman Walsh <ndw@nwalsh.com>
- Date: Thu, 13 Dec 2007 16:00:32 -0500
- To: public-xml-processing-model-wg@w3.org
- Message-ID: <m2wsri9uof.fsf@nwalsh.com>
Are you satisfied with the new Security Considerations section? / Rui Lopes <rlopes@di.fc.ul.pt> was heard to say: | More dangerous than p:load, p:store or p:http-request, the p:exec is | prone to abuse, especially on importing externally-defined pipeline | libraries. | | We should say something about it either in Section 2.9 (Security | Considerations), or in the step declaration (7.2.1). | | p:xslt has the same problem, as some XSLT implementations (e.g., | Saxon) afford embedding and executing arbitrary Java methods. | | p:xquery might be prone to the same issue. | | Cheers, | Rui | | -- | | +---------------------------------------------------------------------------------------+ | | Rui Lopes <rlopes@di.fc.ul.pt> Work: +351217500532 | | | Researcher/PhD Student Cell: +351967504370 | | | Faculty of Sciences, University of Lisbon; LaSIGE Research Lab Fax: +351217500533 | | | Portugal | | +---------------------------------------------------------------------------------------+ Be seeing you, norm -- Norman Walsh <ndw@nwalsh.com> | Where it is permissible both to die and http://nwalsh.com/ | not to die, it is an abuse of valour to | die.-- Mencius
Received on Thursday, 13 December 2007 21:00:46 UTC