[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PaceSecurityConsiderations

To: atom-protocol <atom-protocol@xxxxxxx>
Subject: Re: PaceSecurityConsiderations
From: James M Snell <jasnell@xxxxxxxxx>
Date: Wed, 07 Jun 2006 17:23:15 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=fAMDFyEh1NPCgmenmvpddT4kx53s8jqcAZe1RchshtCIpdp0IjA1UN6XQmbemdVcsciufcW6ueZhz3xnT02RKwqNZISnA5rf/wlrc2AS40IdwjTJnm908XOKSyM9cC/6ke/DkWJQQSuiKuJrAGJ+EnNVDgDJPYRQzRJHYnvFO+Q=
In-reply-to: <44875502.7080604@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <44872802.9060006@xxxxxxxxx> <44875502.7080604@xxxxxxxxxxxxxxx>
Sender: owner-atom-protocol@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (X11/20060516)

The Pace has been updated with changes reflecting feedback from Elliotte
and Thomas.

- James

Elliotte Harold wrote:
> James M Snell wrote:
> 
>> 14.4 XML External Entities and Links within Atom document
>>
>> Atom Feed and Entry documents MAY utilize XML External Entities as
>> defined in section 4.2.2 of [REC-XML].  However, because the Atom
>> Syndication Format does not require DTD validation, Atom implementations
>> are not required to support external entities. Implementations that
>> choose to support external entities within Atom documents need to be
>> aware of the risks inherent in doing so.  Specifically, external
>> entities are subject to all of the same security concerns as HTTP GET
>> operations and run the risk of signficantly altering the semantics of
>> the Atom document.
>>
> 
> The sentence, "However, because the Atom Syndication Format does not
> require DTD validation, Atom implementations are not required to support
> external entities." is not a correct logical inference.
> 
> I suggest simply, "Atom implementations are not required to load
> external entities. However, implementations that do choose..."
> 
>

References:
- PaceSecurityConsiderations
  - From: James M Snell
- Re: PaceSecurityConsiderations
  - From: Elliotte Harold

Prev by Date: Posted PaceAPPCategories
Next by Date: Re: Posted PaceAPPCategories
Previous by thread: Re: PaceSecurityConsiderations
Next by thread: On PUT vs. POST -- A pointer to clarification...
Index(es):
- Date
- Thread