Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
 From: "Miles Sabin" <miles@m...> > Rick Jelliffe wrote, > > It strikes me that this puts the cart before the horse. The answer > > is not to ban external entities, it is to allow access control lists > > as part of entity managers or URL resolvers. > > Sure, but isn't that tantamount to agreeing with, > > Suggested fix: > Most XML parsers allow their user to explicitly specify external > entity handler. In case of untrusted XML input it is best to prohibit > all external general entities. > > because your ACL will effectively be whitelisting your *trusted* > sources. ??? "It is best to prohibit" is not the same thing as "allow access control lists". The former bans a useful feature. The latter shows how the feature can be made safe. No-one would say "Because http: allows access to any file, we should ban http:"; instead, we provide access control on our servers to limit access to what we want to publish. I cannot see why it is any different for external entities or other links. Cheers Rick Jelliffe 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
