- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 13 Mar 2003 20:39:36 +0100
- To: "Roy T. Fielding" <fielding@apache.org>, "Julian Reschke" <julian.reschke@gmx.de>
- Cc: <w3c-dist-auth@w3.org>
Roy, known issue. RFC2518bis specifically allows rejection of requests using external entities (this should take care of the "one million laughs" attach). Julian -- <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760 > -----Original Message----- > From: w3c-dist-auth-request@w3.org > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Roy T. Fielding > Sent: Thursday, March 13, 2003 7:30 PM > To: Julian Reschke > Cc: w3c-dist-auth@w3.org > Subject: Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt > > > > > 6) Section 8.1.1 (use of XML) > > > > Replace > > > > "Some of the following new HTTP methods use XML as a request and > > response > > format. All DAV compliant clients and resources MUST use XML > > parsers that > > are compliant with [REC-XML]. All XML used in either requests or > > responses > > MUST be, at minimum, well formed. If a server receives ill-formed XML > > in a > > request it MUST reject the entire request with a 400 (Bad Request)." > > > > by > > > > "Some of the following new HTTP methods use XML as a request and > > response > > format. All DAV compliant clients and resources MUST use XML > > parsers that > > are compliant with [REC-XML] and [REC-XML-NAMES]. All XML used in > > either > > requests or responses MUST be, at minimum, well formed and > > namespace-well-formed. If a server receives ill-formed XML in a > > request it > > MUST reject the entire request with a 400 (Bad Request)." > > Please note that use of an XML-compliant parser for an Internet protocol > will introduce a simple and well-known denial-of-service problem > involving > recursive entity declarations. > > ....Roy >
Received on Thursday, 13 March 2003 14:39:45 UTC