[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Excellent IETF BCP on XML
Paul Prescod wrote, > Miles Sabin wrote: > > Apparently not ... > > > > http://www.kb.cert.org/vuls/id/210148 > > Interesting. > > But note that there is a difference between downloading URIs and > dereferencing them. Dare was talking about dereferencing and piping > to less. The data never touches the file system (under any name). In this case that's probably true ... in fact, I think the vulnerability only affects multiple gets, where the client first retrieves then blindly trusts a list of names from the server. But my point still stands. It isn't just clients executing retrieved "active" content that represents a risk: flaws in the clients implementation of the base protocol can be just as dangerous. Even tho' _this_particular_ wget vulnerability probably wouldn't be tripped in the kind of scenarios that Tim was talking about, it's only a whisker away from something that _would_ be dangerous. So how much do you trust the implementations of the network clients you use? Do you trust them enough to have a process feed them arbitrary URIs for dereferencing while left unattended? Cheers, Miles
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|