Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: SOAP, plague, love
 On Sat, May 06, 2000 at 02:51:42PM +0100, Edd Dumbill wrote: > On Fri, May 05, 2000 at 09:45:01PM +0100, Matt Sergeant wrote: > > I was actually going to post something about this on mozillazine.org, > > since mozilla has just incorporated XML-RPC. I'm seriously worried about > > potential security holes there. I guess we'll see how it pans out - at > > least with mozilla we can plug the holes as they appear. > > The XML-RPC support checked into Mozilla is an XML-RPC client, not > server. This means it only ever initiates calls, never responds to them. > > In this sense it is doing no more than a Javascript POSTing to a form and > retrieving a response. Furthermore, it is not pervasive functionality. > It is an XPCOM class which must be instantiated by a script in order to > be used. > > Additionally, I believe it is constrained to the general security model > of Mozilla, which will mean that it can only establish a network > connection back to the host that served it, if served from a network > host rather than the filesystem. (Although I'm not 100% clear on this as > I can't find this model explicitly documented at the moment.) > > I regard the addition of this functionality as a great move for Mozilla, > so it is definitely worth us exploring all the security implications > up-front before it gets released. Thanks Edd, for including me here. I had a look over this thread and I think the concern is that XML-RPC could be used to export sensitive information without the user knowing this. The Mozilla XML-RPC client is a XPCOM component, and is portected by the same security mesurements as all other XPCOM components reachable through XPConnect. This currently means that explicit permission is to be requested from the user if a javascript (be it local or remote) wants to have access to such a component. Only so-called chrome packages (user interfaces described in XML, built using javascript and CSS) have unlimited access. This security messure is very course, either the script gets no access to XPConnect at all, or gets full access. XPConnect not only will allow such a script to do XML-RPC, but it then can also access files on the harddisk, or create it's own socket based connections outgoing from the users machine. I believe that this is intended to become more finegrained in future revisions. The XML-RPC component is _not_ limited in what machines it can access. This restiction only applies to Java, IIRC (I am not an authority on Mozilla security, don't quote me on any of this!). But, as Edd points out, XML-RPC is nothing more than a polished up POST back to the server, with a structured reply. I could also create a hidden frame, use DOM to create a HTML FORM, and submit that form to any server on the internet. This latter functionality isn't protected by any security constraints, and shouldn't be either. -- Martijn Pieters | Software Engineer mailto:mj@d... | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server --------------------------------------------- *************************************************************************** This is xml-dev, the mailing list for XML developers. To unsubscribe, mailto:majordomo@x...&BODY=unsubscribe%20xml-dev List archives are available at http://xml.org/archives/xml-dev/ *************************************************************************** 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
