- From: <noah_mendelsohn@us.ibm.com>
- Date: Thu, 5 Dec 2002 19:04:45 -0500
- To: jeremy@dunck.us
- Cc: pgrosso@arbortext.com, tbray@textuality.com, www-tag@w3.org
Jeremy Dunck writes: >> Lastly, am I correct in my understanding >> that the DoS through entity expansion >> is only possible when external subsets >> are used, and when that referenced subset >> is compromised? That is, how can the DoS >> happen if only trusted resources are used >> as external subsets? I don't think so. If SOAP allowed entities and internal subsets, then I think that in a B2B scenario you could just send me what purported to be a purchase order but that expanded to a huge size based on expansion of entities defined in the internal subset. That said, I personally find the billion laughs attack more a worrying indicator of problems that we may not fully understand. I agree the heuristics are possible, if only at a higher level. Even of XML were not changed to say "no entity bigger than x", I could in principle advertise as a characteristic of my purchasing service: "otherwise valid purchase orders that expand to greater than X chars will not be accepted." One could write special purpose parsers to help applications enforce such things. Once could extend WSDl to allow the limit to be declared. It's all just extra complexity and performance overhead (which I don't want), but I agree it's resolvable in principle. BTW: I can report unofficially that the XML Protocols WG is very close to having final text on a report back regarding its reasons for using a subset of SOAP. Anyone who can't wait is welcome to look at drafts in the distApp archive. You'll find them within the last 3 days or so (note, however, that we are NOT hosting a debate on distApp. We are merely, at the request of Paul and others, preparing a note that summarizes the history of our decision making.). I would expect something to go out tomorrow or Monday, unless plans change. Again, this is unofficial..I don't speak for the WG. ------------------------------------------------------------------ Noah Mendelsohn Voice: 1-617-693-4036 IBM Corporation Fax: 1-617-693-8676 One Rogers Street Cambridge, MA 02142 ------------------------------------------------------------------
Received on Thursday, 5 December 2002 19:08:05 UTC