RE: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt

> From: Roy T. Fielding [mailto:fielding@apache.org]
> Sent: Thursday, March 13, 2003 8:52 PM
> To: Julian Reschke
> Cc: w3c-dist-auth@w3.org
> Subject: Re: I-D ACTION:draft-ietf-webdav-rfc2518bis-03.txt
>
>
> > known issue.
>
> Good, but that sentence you quoted contradicts it.  XML doesn't
> allow subsetting.

Do you have a proposal how we can refer to the specs, and still allow
subsetting (allowing rejection of internal entities)?

> > RFC2518bis specifically allows rejection  of requests using external
> > entities (this should take care of the "one million laughs" attach).
>
> Recursive entity declarations are internal entities.  :(

Indeed.

So I must take back what I said: the problem is known but has *not* been
considered yet in the draft.

Jason, Lisa: we badly need to add this to the issues list and fix it in the
next draft.

(the issue being: recursive entity declarations can be used for effective
DOS attacks, and thus WebDAV MUST allow servers to reject these kind of
requests, even though they may be well-formed).

Julian


--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Received on Thursday, 13 March 2003 16:05:41 UTC