[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Dereferencing Namespace URIs considered harmful

• From: Sean McGrath <sean@d...>
• To: xml-dev@l...
• Date: Mon, 01 Jan 2001 12:04:19 +0000

At 11:35 AM 1/1/01 +0000, John Wilson wrote:
>It would be worthwhile taking a little time to consider the possible
>security impact of encouraging XML processing software to dereference
>Namespace URIs as a matter of course.
>
>Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most
>web servers have well known vulnerabilities to various forms of malformed
>URL.

Any HTTP GET facility exposed to the outside world
can be abused.  Namespace URIs are no different. The issues
you raise are equally applicable to XML-RPC, SOAP (not
to mention DTDs at the end of URIs in XML 1.0).

I look forward to the day when this is a real issue :-). By which
I mean that for this to be an real problem, the semantic web will
be up and running:-)

For now, to paraphrase our resident song writer, I want
to read about the pizza myself in a Web browser window
by clicking on a link, not have a mozarella definition
automatically added to my bookmarks:-)

Sean McGrath

• References:
  • Dereferencing Namespace URIs considered harmful
    • From: John Wilson <tug@w...>

• Prev by Date: Dereferencing Namespace URIs considered harmful
• Next by Date: Re: XNRL
• Previous by thread: Dereferencing Namespace URIs considered harmful
• Next by thread: Traffic Analysis and Namespace Dereferencing
• Index(es):
  • Date
  • Thread