Cart
[Home] [By Thread] [By Date] [Recent Entries]
> > If that's so, although it's perfectly conformant, it seems > > like a fairly > > major potential security/robustness hole. Suppose an > > application is trying > > to use validation to protect itself from bad input. It > > carefully loads the > > schema cache with the namespaces it knows about, and calls > > validate(). Now > > the bad guy comes along and uses a root element from some > > other namespace > > and uses xsi:schemaLocation to point to his own schema that > > that has a > > declaration for that element and uses <xs:any namespace="##any" > > processContents="skip"/>. Won't they just have almost completely > > undermined any protection that was supposed to come from validation? > > That is an interesting theoretical attack which I don't think anything > in the W3C XML Schema recommendation prevents. You bring up a good point > which I'll have to discuss with our resident W3C XML Schema folks when > they get in on Monday. > Xerces follows the same approach as MS. Quoting from http://xml.apache.org/xerces2-j/properties.html for general property http://apache.org/xml/properties/schema/external-schemaLocation, "This property allows the user to specify a list of schemas to use. If the targetNamespace of a schema (specified using this property) matches the targetNamespace of a schema occurring in the instance document in schemaLocation attribute, or if the targetNamespace matches the namespace attribute of <import> element, the schema specified by the user using this property will be used (i.e., the schemaLocation attribute in the instance document or on the <import> element will be effectively ignored)." It would appear to be susceptible to the same attack as described above. Regards Michael
|
