[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Postel's law, exceptions


judge postel
	I read with interest recent reports [1][2] concerning
vulnerabilities in some implementations of H.323. 
	According to Information Week [3], Paul Jones, who chairs the
ITU group that is responsible for the H.323 standard, said: some
implementations of the H.323 protocol "fail to perform proper checks
to ensure that messages are properly composed. These errors are
programming oversights, wherein a system does not check for reasonable
and proper message structures." 

	It sounds like Postel's Law was ignored here... Reading this
reminds me of one interpretation of Postel's Law that I haven't seen
emphasized enough in the discussion so far... 
	I believe that no matter how strict or liberal a system may be
in what input from another system it is willing to process or pass on,
it still must be very "liberal" in ensuring that it can accept a wide
range of invalid inputs without being damaged by those inputs. (Buffer
overflows, etc.) Thus, even the strictest, most conservative system
must first be "liberal" in accepting input before it can take the
opportunity to determine what it will reject, clean-up, or process as
received.
	What I'm getting at here is that it may be appropriate to
speak of context when interpreting "Postel's Law." i.e. The closer
your code is to a system boundary, the more important it is that you
be "liberal" in being able to handle a very wide range of inputs
potentially malformed inputs. At system interfaces, Postel's Law may
be read as absolute. But, as you move away from an interface or
boundary, your application semantics begin to take over and Postel's
Law may be read as "Postel's Advice".

		bob wyman

[1] http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
[2] http://www.cert.org/advisories/CA-2004-01.html
[3]
http://www.informationweek.com/story/showArticle.jhtml?articleID=17301
632


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.