• To: <xml-dev@l...>
• Subject: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• From: "Rick Jelliffe" <ricko@a...>
• Date: Wed, 30 Oct 2002 22:36:44 +1100
• References: <200210300905.44376.miles@m...> <01ad01c27ffb$9aa10d40$4bc8a8c0@A...> <200210301017.21556.miles@m...>

From: "Miles Sabin" <miles@m...>

> Rick Jelliffe wrote,
> > It strikes me that this puts the cart before the horse.  The answer
> > is not to ban external entities, it is to allow access control lists
> > as part of entity managers or URL resolvers.
> 
> Sure, but isn't that tantamount to agreeing with,
> 
>   Suggested fix:
>    Most XML parsers allow their user to explicitly specify external
>    entity handler. In case of untrusted XML input it is best to prohibit
>    all external general entities.
> 
> because your ACL will effectively be whitelisting your *trusted* 
> sources.

???  "It is best to prohibit" is not the same thing as "allow access control lists".

The former bans a useful feature. The latter shows how the feature can be made safe.

No-one would say "Because http: allows access to any file, we should ban http:";
instead, we provide access control on our servers to limit access to what we
want to publish.  I cannot see why it is any different for external entities or other links.

Cheers
Rick Jelliffe

• Follow-Ups:
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>

• References:
  • Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: "Rick Jelliffe" <ricko@a...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>

• Prev by Date: RE: What is "semantic markup"?
• Next by Date: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Previous by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Next by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Index(es):
  • Date
  • Thread