W3C home > Mailing lists > Public > www-xml-xinclude-comments@w3.org > February 2004

A possible security issue with accept attributes

From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Date: Thu, 26 Feb 2004 16:16:31 -0500
Message-Id: <p0601020bbc641177f4d8@[192.168.254.4]>
To: <www-xml-xinclude-comments@w3.org>

What should a processor do if the accept attributes contain values 
that are illegal ion an HTTP header? I'm not an exxpert on HTTP 1.1, 
so I'm not sure what can or cannot appear there (Are non-ASCII 
characters allowed?) but what about something like this:

<xi:include href="something.xml" 
accept="text/xml&#13;&#10;Another-Header: another value"/>

I'm sure the there are other ways to break the HTTP header or insert 
data that wasn't expected to be inserted. There may be security holes 
here.  A lot may depend on the underlying API used to communicate 
with the HTTP server.  Some libraries may perform sufficient sanity 
checking themselves that this is not a problem. However, others may 
not.

Should the XInclude specification put more restraints on what is 
allowed in these attributes? Or at the very least note the issue in 
specs as something implementers should be careful to think about?
-- 

   Elliotte Rusty Harold
   elharo@metalab.unc.edu
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
Received on Thursday, 26 February 2004 16:26:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:09:34 UTC