[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
From: "Miles Sabin" <miles@m...> > Read it carefully: "In case of *untrusted* XML input it is best ...". > The qualifier is important. > > To all intents and purposes a list which specifies trusted sources is an > ACL. Miles' ACLs say "These document are trusted, so they can access any entities". It is a list (simplification) of documents that can make references. My ACLs say "These entities can be accessed by any document". It is a list (simplification) of documents that can be referred to, enforced by a parser's entity manager. Not the same thing at all, though certainly there may be scope for both. I don't see how Miles' ACLs prevent the attacks suggested. (But I don't deny that different levels of security are appropriate for different levels of danger!) Cheers Rick Jelliffe
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|