[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Interesting mailing list & a rare broadside


interesting countries
> > If that's so, although it's perfectly conformant, it seems 
> > like a fairly 
> > major potential security/robustness hole.  Suppose an 
> > application is trying 
> > to use validation to protect itself from bad input. It 
> > carefully loads the 
> > schema cache with the namespaces it knows about, and calls 
> > validate().  Now 
> > the bad guy comes along and uses a root element from some 
> > other namespace 
> > and uses xsi:schemaLocation to point to his own schema that 
> > that has a 
> > declaration for that element and uses <xs:any namespace="##any" 
> > processContents="skip"/>.  Won't they just have almost completely 
> > undermined any protection that was supposed to come from validation?
> 
> That is an interesting theoretical attack which I don't think anything
> in the W3C XML Schema recommendation prevents. You bring up a good point
> which I'll have to discuss with our resident W3C XML Schema folks when
> they get in on Monday. 
>  

Xerces follows the same approach as MS. Quoting from
http://xml.apache.org/xerces2-j/properties.html for general
property http://apache.org/xml/properties/schema/external-schemaLocation,

"This property allows the user to specify a list of schemas to use. If the 
targetNamespace of a schema (specified using this property) matches the 
targetNamespace of a schema occurring in the instance document in 
schemaLocation attribute, or if the targetNamespace matches the namespace 
attribute of <import> element, the schema specified by the user using this 
property will be used (i.e., the schemaLocation attribute in the instance 
document or on the <import> element will be effectively ignored)."

It would appear to be susceptible to the same attack as described above.

Regards
Michael





PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.