Re: XML-* [was: ... XML subsetting...] from noah_mendelsohn@us.ibm.com on 2002-12-06 (www-tag@w3.org from December 2002)

From: <noah_mendelsohn@us.ibm.com>
Date: Thu, 5 Dec 2002 19:04:45 -0500
To: jeremy@dunck.us
Cc: pgrosso@arbortext.com, tbray@textuality.com, www-tag@w3.org
Message-ID: <OFA6C3FDD3.399EDA76-ON85256C87.00001F49@lotus.com>

Jeremy Dunck writes:

>> Lastly, am I correct in my understanding 
>> that the DoS through entity expansion 
>> is only possible when external subsets 
>> are used, and when that referenced subset 
>> is compromised?  That is, how can the DoS 
>> happen if only  trusted resources are used 
>> as external subsets?

I don't think so.  If SOAP allowed entities and internal subsets, then I 
think that in a B2B scenario you could just send me what purported to be a 
purchase order but that expanded to a huge size based on expansion of 
entities defined in the internal subset.   That said, I personally find 
the billion laughs attack more a worrying indicator of problems that we 
may not fully understand.  I agree the heuristics are possible, if only at 
a higher level.  Even of XML were not changed to say "no entity bigger 
than x", I could in principle advertise as a characteristic of my 
purchasing service:  "otherwise valid purchase orders that expand to 
greater than X chars will not be accepted."   One could write special 
purpose parsers to help applications enforce such things.  Once could 
extend WSDl to allow the limit to be declared.  It's all just extra 
complexity and performance overhead (which I don't want), but I agree it's 
resolvable in principle.

BTW:  I can report unofficially that the XML Protocols WG is very close to 
having final text on a report back regarding its reasons for using a 
subset of SOAP.  Anyone who can't wait is welcome to look at drafts in the 
distApp archive.  You'll find them within the last 3 days or so (note, 
however, that we are NOT hosting a debate on distApp.  We are merely, at 
the request of Paul and others, preparing a note that summarizes the 
history of our decision making.).    I would expect something to go out 
tomorrow or Monday, unless plans change.  Again, this is unofficial..I 
don't speak for the WG.

------------------------------------------------------------------
Noah Mendelsohn                              Voice: 1-617-693-4036
IBM Corporation                                Fax: 1-617-693-8676
One Rogers Street
Cambridge, MA 02142
------------------------------------------------------------------

Received on Thursday, 5 December 2002 19:08:05 UTC