- From: Sanjiva Weerawarana <sanjiva@watson.ibm.com>
- Date: Mon, 25 Nov 2002 23:16:58 -0500
- To: <www-tag@w3.org>
I was recently made aware of a DoS security risk with internal entities .. if I recall correctly it went something like this: - define entity x1 as "a" - define entity x2 as &x1;&x1; - define entity x3 as &x2;&x2; - define entity x4 as &x3;&x3; - ... So it results in exponential growth .. resulting in potential DoS attacks (or so my severly limited security knowledge tells me). Sanjiva. ----- Original Message ----- From: "Paul Grosso" <pgrosso@arbortext.com> To: <www-tag@w3.org> Sent: Monday, November 25, 2002 5:55 PM Subject: RE: SOAP's prohibiting use of XML internal subset > > [Deleting all extra mailing addresses--please do likewise!] > > At 23:24 2002 11 25 +0100, Julian Reschke wrote: > >Automatic resolution of external entities clearly is a security risk -- so > >there SHOULD be a way for XML based protocols to explicitly forbid this. > > External entities are not central to the current issue > which is really about subsetting XML. > > Note that the "standalone" declaration [1] allows one to > say that there are no references to external entities. > > Note that [2] is all about internal entities. > > paul > > [1] http://www.w3.org/TR/REC-xml#sec-rmd > [2] http://www.w3.org/XML/Core/2002/10/charents-20021023 >
Received on Monday, 25 November 2002 23:19:22 UTC