[Bug 11] Protection against XML Denial Of Service attacks from bugzilla@soe.ucsc.edu on 2005-12-09 (w3c-dist-auth@w3.org from October to December 2005)

From: <bugzilla@soe.ucsc.edu>
Date: Fri, 9 Dec 2005 03:19:59 -0800
To: w3c-dist-auth@w3.org
Message-Id: <200512091119.jB9BJxeO004597@ietf.cse.ucsc.edu>

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11

julian.reschke@greenbytes.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |



------- Additional Comments From julian.reschke@greenbytes.de  2005-12-09 03:19 -------
I found a minor problem with the language I proposed: the attack is not based on
recursively defined internal entities, but on *nested* internal entities. Please
update paragraph to:

   Furthermore, there's also a risk based on the evaluation of "internal
   entities" as defined in section 4.2.2 of [XML].  A small, carefully
   crafted request using nested internal entities may require enormous
   amounts of memory and/or processing time to process.  Server
   implementors should be aware of this risk and configure their XML
   parsers so that requests like these can be detected and rejected as
   early as possible.





------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

Received on Friday, 9 December 2005 11:20:22 UTC