RE: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt

Roy,

known issue.

RFC2518bis specifically allows rejection  of requests using external
entities (this should take care of the "one million laughs" attach).

Julian


--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Roy T. Fielding
> Sent: Thursday, March 13, 2003 7:30 PM
> To: Julian Reschke
> Cc: w3c-dist-auth@w3.org
> Subject: Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt
>
>
>
> > 6) Section 8.1.1 (use of XML)
> >
> > Replace
> >
> > "Some of the following new HTTP methods use XML as a request and
> > response
> > format.  All DAV compliant clients and resources MUST use   XML
> > parsers that
> > are compliant with [REC-XML].  All XML used in either requests or
> > responses
> > MUST be, at minimum, well formed.  If a server receives ill-formed XML
> > in a
> > request it MUST reject the entire request with a 400 (Bad Request)."
> >
> > by
> >
> > "Some of the following new HTTP methods use XML as a request and
> > response
> > format.  All DAV compliant clients and resources MUST use   XML
> > parsers that
> > are compliant with [REC-XML] and [REC-XML-NAMES].  All XML used in
> > either
> > requests or responses MUST be, at minimum, well formed and
> > namespace-well-formed.  If a server receives ill-formed XML in a
> > request it
> > MUST reject the entire request with a 400 (Bad Request)."
>
> Please note that use of an XML-compliant parser for an Internet protocol
> will introduce a simple and well-known denial-of-service problem
> involving
> recursive entity declarations.
>
> ....Roy
>

Received on Thursday, 13 March 2003 14:39:45 UTC