Re: Possible issue: XXE (Xml eXternal Entity) attack from Miles Sabin on 2002-10-30 (www-tag@w3.org from October 2002)

From: Miles Sabin <miles@milessabin.com>
Date: Wed, 30 Oct 2002 19:57:02 +0000
To: www-tag@w3.org
Message-Id: <200210301957.02672.miles@milessabin.com>

Dare Obasanjo wrote,
> Why do you think this is a TAG issue?

I think it's a "best practice" issue and probably ought to be added as a 
rider to,

  http://www.w3.org/TR/2002/WD-webarch-20020830/#pr-deref-safe

if only to say that "safe" as used in the principle doesn't mean quite 
the same as "safe" as used in a network security context.

> Even if it was a TAG issue, you proposed recommendation misses the
> point. The security issue is that clients should not attempt to
> retrieve data from URIs when directed to do so by untrusted sources
> regardless of whether the retrieval directive is via external
> entities, stylesheet PIs, XInclude, xsi:schemaLocation or whatever.

I didn't express myself well: I meant any untrusted URI that might be 
resolved automatically during document processing, not just those 
associated with external entities.

So, agreed.

> I'm not sure what namespace URIs have to do with anything.

If it becomes common practice to retrieve machine processable documents 
via namespace URIs, and the retrieval is done automatically during 
document processing under some circumstances, then namespace URIs will 
be in exactly the same position as any of the other URIs you listed 
above.

Given that putting machine processable documents on the end of namespace 
URIs is something that's been floated on this list at least once, I 
don't think they're completely irrelevant.

> PS: I believe that XML Web Service implementations (or at least those
> that use SOAP) aren't supposed to support DTDs so this specific
> attack is not an architectural issue for them.

Oh, sure. Hardly any software is _supposed_ to have bugs ;-)

But it doesn't follow from that that there's very little buggy software. 
I can easily imagine a WS stack using an off the shelf XML parser the 
default behaviour of which is to retrieve external entities (or 
whatever). It'll process correct input correctly but be bitten by 
incorrect input.

This isn't strictly speaking an architectural issue. But architecture 
interacts with implementations. Architectural recommendations which in 
practice might trip up common implementations should at least come with 
a warning notice.

Cheers,


Miles

Received on Wednesday, 30 October 2002 14:57:34 UTC