[Rich Salz <rsalz@datapower.com>] Re: [xml-dev] XPointer and XML Schema from Henry S. Thompson on 2002-07-17 (www-xml-linking-comments@w3.org from July to September 2002)

Forwarded message 1

From: Rich Salz <rsalz@datapower.com>
Date: Mon, 15 Jul 2002 23:03:39 -0400 (EDT)
Subject: Re: [xml-dev] XPointer and XML Schema
To: Jeff Rafter <jeffrafter@defined.net>
cc: <xml-dev@lists.xml.org>
Message-ID: <Pine.LNX.4.33.0207152302020.11314-100000@eagle.datapower.com>

> >    3. Make the schemalocation hint manditory to provide, and manditory to
> > dereference for Schema-Loading, WRT XPointer.
> 
> This option really scares me!

Me too, but for security reasons.  Mandatory to deref means that I as the 
client can force a server to go open a file of my choosing. That's scary. 
Suppose I send the server schemaLocation="file:///etc/passwd" -- I could 
probably guess some account names from the helpful fault information that 
comes back.
	/r$



-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
initiative of OASIS <http://www.oasis-open.org>

The list archives are at http://lists.xml.org/archives/xml-dev/

To subscribe or unsubscribe from this list use the subscription
manager: <http://lists.xml.org/ob/adm.pl>

-- Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh W3C Fellow 1999--2002, part-time member of W3C Team 2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440 Fax: (44) 131 650-4587, e-mail: ht@cogsci.ed.ac.uk URL: http://www.ltg.ed.ac.uk/~ht/ [mail really from me _always_ has this .sig -- mail without it is forged spam]