- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 13 Mar 2003 22:05:30 +0100
- To: "Roy T. Fielding" <fielding@apache.org>, "Julian Reschke" <julian.reschke@gmx.de>
- Cc: <w3c-dist-auth@w3.org>
> From: Roy T. Fielding [mailto:fielding@apache.org] > Sent: Thursday, March 13, 2003 8:52 PM > To: Julian Reschke > Cc: w3c-dist-auth@w3.org > Subject: Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt > > > > known issue. > > Good, but that sentence you quoted contradicts it. XML doesn't > allow subsetting. Do you have a proposal how we can refer to the specs, and still allow subsetting (allowing rejection of internal entities)? > > RFC2518bis specifically allows rejection of requests using external > > entities (this should take care of the "one million laughs" attach). > > Recursive entity declarations are internal entities. :( Indeed. So I must take back what I said: the problem is known but has *not* been considered yet in the draft. Jason, Lisa: we badly need to add this to the issues list and fix it in the next draft. (the issue being: recursive entity declarations can be used for effective DOS attacks, and thus WebDAV MUST allow servers to reject these kind of requests, even though they may be well-formed). Julian -- <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
Received on Thursday, 13 March 2003 16:05:41 UTC