[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Postel's law, exceptions
I read with interest recent reports [1][2] concerning vulnerabilities in some implementations of H.323. According to Information Week [3], Paul Jones, who chairs the ITU group that is responsible for the H.323 standard, said: some implementations of the H.323 protocol "fail to perform proper checks to ensure that messages are properly composed. These errors are programming oversights, wherein a system does not check for reasonable and proper message structures." It sounds like Postel's Law was ignored here... Reading this reminds me of one interpretation of Postel's Law that I haven't seen emphasized enough in the discussion so far... I believe that no matter how strict or liberal a system may be in what input from another system it is willing to process or pass on, it still must be very "liberal" in ensuring that it can accept a wide range of invalid inputs without being damaged by those inputs. (Buffer overflows, etc.) Thus, even the strictest, most conservative system must first be "liberal" in accepting input before it can take the opportunity to determine what it will reject, clean-up, or process as received. What I'm getting at here is that it may be appropriate to speak of context when interpreting "Postel's Law." i.e. The closer your code is to a system boundary, the more important it is that you be "liberal" in being able to handle a very wide range of inputs potentially malformed inputs. At system interfaces, Postel's Law may be read as absolute. But, as you move away from an interface or boundary, your application semantics begin to take over and Postel's Law may be read as "Postel's Advice". bob wyman [1] http://www.uniras.gov.uk/vuls/2004/006489/h323.htm [2] http://www.cert.org/advisories/CA-2004-01.html [3] http://www.informationweek.com/story/showArticle.jhtml?articleID=17301 632
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|