[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Malicious documents? (WAS: Interesting mailing list & a ra

postscript malicious
Bill de hÓra wrote,
> The notion of treating XML as active content is fascinating (and a
> bit scary). I wonder if you could set up a for loop for a DOS via
> an XSLT sheet?

An XSLT stylesheet has intended programmatic semantics (it's code, for 
all that it's sprinkled with angle brackets and declarative rather than 
imperative), so pretty clearly, IMO, it has to be treated as active 
content. A comparisons with PostScript might be in order here, and it's 
not news that untrusted PostScript documents can be dangerous.

The more worrying cases are documents which don't have any such intended 
semantics (ie. just dumb data), but get them willy nilly thanks to the 
implicit retrieval semantics of validation. My guess is that many, 
many, developers will assume that such things are just as safe as 
text/plain is typically taken to be, without anticipating the effects 
of validation.

This is likely to be particularly so in server as opposed to client 
applications: that a server designed to only _consume_ incoming 
documents might be tricked into making outgoing requests to arbitrary 
hosts is probably completely unexpected.




Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.