• To: XML Dev <xml-dev@l...>
• Subject: Re: Excellent IETF BCP on XML
• From: Miles Sabin <miles@m...>
• Date: Mon, 16 Dec 2002 09:02:26 +0000
• In-reply-to: <3DFD2FB6.1070804@p...>
• References: <B885BEDCB3664E4AB1C72F1D85CB29F8040EF7D9@R...> <200212130851.37443.miles@m...> <3DFD2FB6.1070804@p...>

Paul Prescod wrote,
> Miles Sabin wrote:
> > Apparently not ...
> >
> >   http://www.kb.cert.org/vuls/id/210148
>
> Interesting.
>
> But note that there is a difference between downloading URIs and
> dereferencing them. Dare was talking about dereferencing and piping
> to less. The data never touches the file system (under any name).

In this case that's probably true ... in fact, I think the vulnerability 
only affects multiple gets, where the client first retrieves then 
blindly trusts a list of names from the server.

But my point still stands. It isn't just clients executing retrieved 
"active" content that represents a risk: flaws in the clients 
implementation of the base protocol can be just as dangerous. Even tho' 
_this_particular_ wget vulnerability probably wouldn't be tripped in 
the kind of scenarios that Tim was talking about, it's only a whisker 
away from something that _would_ be dangerous.

So how much do you trust the implementations of the network clients you 
use? Do you trust them enough to have a process feed them arbitrary 
URIs for dereferencing while left unattended?

Cheers,


Miles

• Follow-Ups:
  • Re: Excellent IETF BCP on XML
    • From: Paul Prescod <paul@p...>

• References:
  • Re: Excellent IETF BCP on XML
    • From: Miles Sabin <miles@m...>
  • Re: Excellent IETF BCP on XML
    • From: Paul Prescod <paul@p...>

• Prev by Date: Re: nested namespaces
• Next by Date: Re: nested namespaces
• Previous by thread: Re: Excellent IETF BCP on XML
• Next by thread: Re: Excellent IETF BCP on XML
• Index(es):
  • Date
  • Thread