Cart
[Home] [By Thread] [By Date] [Recent Entries]
Bullard, Claude L (Len) wrote, > Yes, I have but I may be missing your point. My apologies. Partly it's just "Beware!". But it's also a more specific concern about URIs as names. Where URIs are used as names there's an almost irresitable urge to attempt to dereference them. Where the target is expected to be machine processable there's a similarly irresistable urge to have software dereference them automatically ... and that's dangerous. Worse is to move from a state where URIs as names _aren't_ expected to be usefully dereferencable to one where they _are_. Suppose you upgrade your underlying XML processor from a version which doesn't grok RDDL to one which does and which unbeknownst to you defaults to retrieval. Your application hasn't changed, but all of a sudden it's making unexpected outgoing network connections in response to incoming documents. This is likely to be a surprise, potentially a very unpleasant one. > I am simply wondering how many other ways it can be exploited using > the network if the AnythingImportantIsURINamed and Smart People > Prepend HTTP philosophy is followed without understanding that these > things are always/whereevertheyarefound dereferenceable. As many ways as applications can have bugs and security holes ... IOW innumerable. Cheers, Miles
|
