- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 19 Jun 2002 23:43:25 +0200
- To: "Jim Whitehead" <ejw@cse.ucsc.edu>, "Julian Reschke" <julian.reschke@gmx.de>, <w3c-dist-auth@w3c.org>
> From: Jim Whitehead [mailto:ejw@cse.ucsc.edu] > Sent: Wednesday, June 19, 2002 11:30 PM > To: Julian Reschke; w3c-dist-auth@w3c.org > Subject: RE: WebDAV XML handling vs. external entities > > > > there was recently an xml-dev thread about security problems allowing > > arbitrary XML in protocols (see for instance [1]). > > This topic is also discussed in RFC 2518, in Section 17.7 (Implications of > XML External Entities). Indeed. Missed that part :-) > > As WebDAV doesn't need resolution of external entities / DTD > > validation, I'd suggest to specfiy that servers and clients MUST NOT > > resolve external entities, that is, MUST reject any WebDAV protocol > > message that contains external entities. > > In RFC 2518, we didn't go so far as to outlaw external entities, since (a) > it didn't seem that likely they would ever get shipped across the > wire, and > (b) they might be useful for extensibility. But, after several years of > implementation, I don't know of any uses of XML external > entities, so I'd be > fine with prohibiting them. It think we should clarify. Right now, existing servers seem to either ignore the external entitiy (mod_dav) or report an error (IIS). I think the former is wrong because it means that part of the request wasn't parsed, so the request shouldn't be executed. For the sake of clarity, I think it would be a good thing to recommend that servers should fail the request. Julian
Received on Wednesday, 19 June 2002 17:43:59 UTC