- From: Chris Lilley <chris@w3.org>
- Date: Wed, 30 Oct 2002 23:32:21 +0100
- To: www-tag@w3.org, Miles Sabin <miles@milessabin.com>
On Wednesday, October 30, 2002, 9:51:57 PM, Miles wrote: MS> Chris Lilley wrote, >> How is that different from html pages that link to external images >> that the browser may be 'coerced' to open? MS> It's the same problem, but in a different context. That on it's MS> own is enough to cause problems. MS> The awkward thing is that the mantra "always validate inputs from MS> untrusted sources" actually hurts here because someone might MS> naively assume that this means that untrusted XML inputs should be MS> validated in the sense of the XML REC ... but in at least some MS> cases the very act of attempting validation will trigger the MS> dangerous behaviour, eg. retrieving an uncached DTD external MS> subset. Okay. Although, accepting the original XML message (if its a protocol, say) might be just as dangerous. MS> So it's not a new problem, and the solutions are obvious to anyone MS> who understands it. But for all that I'm sure people will make MS> mistakes and they'll be exploited. I think it would be a good idea MS> that if the Architectural Principles doc is going to highlight a MS> principle that states, MS> Representation retrieval is safe: Agents do not incur obligations MS> by retrieving a representation. Aha. Thanks for being more specific as to the link between the security alert you posted and the edits to the Arch doc that should result from your input. MS> it should qualify that by pointing out that "safe" is being used MS> here in the sense of RFC 2616 rather than in any more general MS> sense, and that even if agent don't incur any obligations they MS> might still get burnt. Okay, I agree that needs to be tightened up. MS> Miles -- Chris mailto:chris@w3.org
Received on Wednesday, 30 October 2002 17:32:25 UTC