Re: [xml-dev] XPointer and XML Schema (fwd) from John Cowan on 2002-07-16 (xml-names-editor@w3.org from July 2002)

From: John Cowan <jcowan@reutershealth.com>
Date: Mon, 15 Jul 2002 23:08:08 -0400 (EDT)
To: xml-names-editor@w3.org
Message-Id: <200207160308.XAA29320@mail.reutershealth.com>

Rich Salz scripsit:
From cowan  Mon Jul 15 23:04:10 2002
Return-Path: <xml-dev-return-10862-jcowan=reutershealth.com@lists.xml.org>
Received: from mail.reutershealth.com [204.243.9.36]
	by localhost with POP3 (fetchmail-5.7.4)
	for cowan@localhost (single-drop); Mon, 15 Jul 2002 23:04:10 -0400 (EDT)
Received: from mail.oasis-open.org ([209.202.168.102])
	by mail.reutershealth.com (Pro-8.9.3/Pro-8.9.3) with SMTP id XAA29292
	for <jcowan@reutershealth.com>; Mon, 15 Jul 2002 23:03:13 -0400 (EDT)
Received: (qmail 28603 invoked by uid 60909); 16 Jul 2002 03:13:28 -0000
Mailing-List: contact xml-dev-help@lists.xml.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Post: <mailto:xml-dev@lists.xml.org>
List-Help: <mailto:xml-dev-help@lists.xml.org>
List-Unsubscribe: <mailto:xml-dev-unsubscribe@lists.xml.org>
List-Subscribe: <mailto:xml-dev-subscribe@lists.xml.org>
Delivered-To: mailing list xml-dev@lists.xml.org
Received: (qmail 28595 invoked by uid 0); 16 Jul 2002 03:13:27 -0000
Date: Mon, 15 Jul 2002 23:03:39 -0400 (EDT)
From: Rich Salz <rsalz@datapower.com>
To: Jeff Rafter <jeffrafter@defined.net>
cc: <xml-dev@lists.xml.org>
In-Reply-To: <00cc01c22c6e$c8909b20$32f5d90c@c1980223a>
Message-ID: <Pine.LNX.4.33.0207152302020.11314-100000@eagle.datapower.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [xml-dev] XPointer and XML Schema
X-UIDL: e"b"!*b##!,=j!!l'a!!
X-Spam-Status: No, hits=-5.0 required=5.0 tests=IN_REP_TO version=2.11

> >    3. Make the schemalocation hint manditory to provide, and manditory to
> > dereference for Schema-Loading, WRT XPointer.
> 
> This option really scares me!

Me too, but for security reasons.  Mandatory to deref means that I as the 
client can force a server to go open a file of my choosing. That's scary. 
Suppose I send the server schemaLocation="file:///etc/passwd" -- I could 
probably guess some account names from the helpful fault information that 
comes back.
	/r$



-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
initiative of OASIS <http://www.oasis-open.org>

The list archives are at http://lists.xml.org/archives/xml-dev/

To subscribe or unsubscribe from this list use the subscription
manager: <http://lists.xml.org/ob/adm.pl>


-- 
John Cowan                              <jcowan@reutershealth.com>
http://www.reutershealth.com            http://www.ccil.org/~cowan
                .e'osai ko sarji la lojban.
                Please support Lojban!          http://www.lojban.org

Received on Monday, 15 July 2002 23:09:43 UTC