W3C home > Mailing lists > Public > www-xml-xinclude-comments@w3.org > March 2004

RE: accept attributes: possible security holes

From: Jonathan Marsh <jmarsh@microsoft.com>
Date: Tue, 2 Mar 2004 00:48:33 -0800
Message-ID: <DF1BAFBC28DF694A823C9A8400E71EA202C3864D@RED-MSG-30.redmond.corp.microsoft.com>
To: "Elliotte Harold" <elharo@metalab.unc.edu>, <www-xml-xinclude-comments@w3.org>

We will add a prohibition against characters outside the allowed range
32-126 as errors.  For interoperability, we'll require that all XInclude
processors fail if disallowed characters are encountered.

We believe this is resolution completes our resolution of outstanding
issues on XInclude, and we plan to release a new CR draft soon.

> -----Original Message-----
> From: www-xml-xinclude-comments-request@w3.org
> comments-request@w3.org] On Behalf Of Elliotte Harold
> Sent: Monday, November 10, 2003 8:50 PM
> To: www-xml-xinclude-comments@w3.org
> Subject: accept attributes: possible security holes
> The new working draft does not say what happens if the accept
> values are not legal for their respective HTTP headers. There are many
> ways they could be illegal ranging from not using an appropriate
> language code for accept-language to using non-ASCII characters in a
> header field that expected only ASCII to including carriage returns
> linebreaks (escaped if necessary) that completely botch up the HTTP
> header; for instance by prematurely ending it with a blank line or
> adding extra header lines. For example,
> accept-language="en&#x0D;&#x0A;Name: Value&#x0D;&#x0A;&#x0D;&#x0A;"
> I can even imagine this might be a security violation if it enabled me
> to write a document that injected arbitrary HTTP headers into a
> made by a different client. I'm not sure how serious this is, but it
> might become a problem at some point in the future with the wrong
> client. For instance, if this was followed by HTTP headers intended to
> provide a user name and password for a proxy server which the proxy
> would normally strip off, they might instead be transmitted in the
> past the firewall as part of the message body. I'm not sure if this is
> real attack. However, this feels flaky enough that I think there might
> be a real attack in here somewhere on some systems. It's just very
> for a server to be able to tell a client which HTTP headers to provide
> for a different server.
> If the accept attributes are retained at all, then the spec really
> to put some strict limits on them, and require XInclude processors to
> either skip them or throw a resource error or fatal error (I'm not
> which) if the values of these attributes are syntactically incorrect
> the relevant HTTP headers. It might be the case that implementations
> don't need to check everything, but probably line breaks need to be
> eliminated at a minimum. And someone who's more familiar with HTTP
> headers than me and who's quite devious should give this a serious
> thinking about to see if there might be any other nasty holes here
> waiting to trip up the unwary.
> --
> Elliotte Rusty Harold
Received on Tuesday, 2 March 2004 03:49:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:09:34 UTC