Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack

Cart

XML Editor - Download a Free Trial >

See What's New >

Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

To: xml-dev@l...
Subject: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
From: Miles Sabin <miles@m...>
Date: Wed, 30 Oct 2002 11:47:40 +0000
In-reply-to: <020201c28008$9fc35eb0$4bc8a8c0@A...>
References: <200210300905.44376.miles@m...> <200210301017.21556.miles@m...> <020201c28008$9fc35eb0$4bc8a8c0@A...>

Rick Jelliffe wrote,
> > Sure, but isn't that tantamount to agreeing with,
> >
> >   Suggested fix:
> >    Most XML parsers allow their user to explicitly specify external
> >    entity handler. In case of untrusted XML input it is best to
> >    prohibit all external general entities.
> >
> > because your ACL will effectively be whitelisting your *trusted*
> > sources.
>
> ???  "It is best to prohibit" is not the same thing as "allow access
> control lists".

Read it carefully: "In case of *untrusted* XML input it is best ...". 
The qualifier is important.

To all intents and purposes a list which specifies trusted sources is an 
ACL.

Cheers,


Miles

Follow-Ups:
- Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: "Rick Jelliffe" <ricko@a...>

References:
- Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@m...>
- Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: Miles Sabin <miles@m...>
- Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
  - From: "Rick Jelliffe" <ricko@a...>

Prev by Date: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by Date: Re: Relative URLs using the file scheme?
Previous by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
Next by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
Index(es):
- Date
- Thread

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >