[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack

• To: xml-dev@l...
• Subject: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• From: Miles Sabin <miles@m...>
• Date: Wed, 30 Oct 2002 11:47:40 +0000
• In-reply-to: <020201c28008$9fc35eb0$4bc8a8c0@A...>
• References: <200210300905.44376.miles@m...> <200210301017.21556.miles@m...> <020201c28008$9fc35eb0$4bc8a8c0@A...>

Rick Jelliffe wrote,
> > Sure, but isn't that tantamount to agreeing with,
> >
> >   Suggested fix:
> >    Most XML parsers allow their user to explicitly specify external
> >    entity handler. In case of untrusted XML input it is best to
> >    prohibit all external general entities.
> >
> > because your ACL will effectively be whitelisting your *trusted*
> > sources.
>
> ???  "It is best to prohibit" is not the same thing as "allow access
> control lists".

Read it carefully: "In case of *untrusted* XML input it is best ...". 
The qualifier is important.

To all intents and purposes a list which specifies trusted sources is an 
ACL.

Cheers,


Miles

• Follow-Ups:
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: "Rick Jelliffe" <ricko@a...>

• References:
  • Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: "Rick Jelliffe" <ricko@a...>

• Prev by Date: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Next by Date: Re: Relative URLs using the file scheme?
• Previous by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Next by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Index(es):
  • Date
  • Thread