• To: <xml-dev@l...>
• Subject: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• From: "Rick Jelliffe" <ricko@a...>
• Date: Wed, 30 Oct 2002 23:21:41 +1100
• References: <200210300905.44376.miles@m...> <200210301017.21556.miles@m...> <020201c28008$9fc35eb0$4bc8a8c0@A...> <200210301147.40621.miles@m...>

From: "Miles Sabin" <miles@m...>

 > Read it carefully: "In case of *untrusted* XML input it is best ...". 
> The qualifier is important.
> 
> To all intents and purposes a list which specifies trusted sources is an 
> ACL.

Miles' ACLs say "These document are trusted, so they can access any entities".
It is a list (simplification) of documents that can make references.

My ACLs say "These entities can be accessed by any document".
It is a list (simplification) of documents that can be referred to, enforced
by a parser's entity manager.

Not the same thing at all, though certainly there may be scope for both.
I don't see how Miles' ACLs prevent the attacks suggested.  (But I don't
deny that different levels of security are appropriate for different levels
of danger!)

Cheers
Rick Jelliffe

• Follow-Ups:
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>

• References:
  • Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: "Rick Jelliffe" <ricko@a...>
  • Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
    • From: Miles Sabin <miles@m...>

• Prev by Date: Re: Internationalising Regular Expressions
• Next by Date: Re: What is "semantic markup"?
• Previous by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Next by thread: Re: Seen on BugTraq: XXE (Xml eXternal Entity) attack
• Index(es):
  • Date
  • Thread