[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: XInclude: security risk 1
>On reflection, I think XInclude's security issues are really just a >subset of those that browsers have with XSLT, or at least are solvable >in the same way. XSLT allows you to fetch data from a local file >using document("file:///whatever") and even allows you to pass out >that information as part of a URL in another document() call. You're right. That does sound like another security hole, and possibly worse. It also had not occurred to me that you might XInclude a file URL. That opens up some more holes. >I checked what Mozilla does in this case, and it appears to refuse >to fetch a file: URL from a document() call in a remote stylesheet. Which raises the questions: 1. What does IE6 do? 2. What does Mozilla do when faced with an http URL in the document() function that points to a host other than the document base? The XSLT issue is potentially worse because you could use XSLT to actually include the contents of the stolen XML document in the URL you passed back to the hacker's server. It is somewhat (though far from completely) mitigated by the fact that the document() function can only point to well-formed XML documents so it can't steal absolutely any file or URL. -- +-----------------------+------------------------+-------------------+ | Elliotte Rusty Harold | elharo@m... | Writer/Programmer | +-----------------------+------------------------+-------------------+ | XML in a Nutshell, 2nd Edition (O'Reilly, 2002) | | http://www.cafeconleche.org/books/xian2/ | | http://www.amazon.com/exec/obidos/ISBN%3D0596002920/cafeaulaitA/ | +----------------------------------+---------------------------------+ | Read Cafe au Lait for Java News: http://www.cafeaulait.org/ | | Read Cafe con Leche for XML News: http://www.cafeconleche.org/ | +----------------------------------+---------------------------------+
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|