RE: WebDAV XML handling vs. external entities

> From: Jim Whitehead [mailto:ejw@cse.ucsc.edu]
> Sent: Wednesday, June 19, 2002 11:30 PM
> To: Julian Reschke; w3c-dist-auth@w3c.org
> Subject: RE: WebDAV XML handling vs. external entities
>
>
> > there was recently an xml-dev thread about security problems allowing
> > arbitrary XML in protocols (see for instance [1]).
>
> This topic is also discussed in RFC 2518, in Section 17.7 (Implications of
> XML External Entities).

Indeed. Missed that part :-)

> > As WebDAV doesn't need resolution of external entities / DTD
> > validation, I'd suggest to specfiy that servers and clients MUST NOT
> > resolve external entities, that is, MUST reject any WebDAV protocol
> > message that contains external entities.
>
> In RFC 2518, we didn't go so far as to outlaw external entities, since (a)
> it didn't seem that likely they would ever get shipped across the
> wire, and
> (b) they might be useful for extensibility. But, after several years of
> implementation, I don't know of any uses of XML external
> entities, so I'd be
> fine with prohibiting them.

It think we should clarify. Right now, existing servers seem to either
ignore the external entitiy (mod_dav) or report an error (IIS). I think the
former is wrong because it means that part of the request wasn't parsed, so
the request shouldn't be executed. For the sake of clarity, I think it would
be a good thing to recommend that servers should fail the request.

Julian

Received on Wednesday, 19 June 2002 17:43:59 UTC