Re: Security: Atom injection attacks

[Bill de hOra <bill@xxxxxxxxxx>]

Elliotte Harold wrote:
>  
> Perhaps I'm not phrasing it right, or perhaps there's just genuine 
> disagreement. Some people have pointed out that there are systems in 
> which such injection is not a concern, because the Atom content is never 
> treated as code. That's fine, and that's what I'm trying to say with "as 
> necessary". What I want here is really a conditional SHOULD.

Unless the wording is very careful, the combination of constraints and 
expectations could be interpreted so that that client cannot be held 
responsible for the consequences of a PUT.

 - You blew up my server!
 - You should have checked your inputs, per the spec.
 - How could I know to check for *that*!
 - That's not my problem, per the spec. I'm just a client.

It's like a nightmare webarch, where the client is has no responsibility 
for any method side effect, not just GET.

> However, I also gather that some people do not feel it is the purpose of 
> the APP spec to mandate security practices that are necessary. That I 
> simply disagree with. Code injection has been too serious a real world 
> problem with the frameworks people will use to build APP servers to make 
> me comfortable with anything less strong.

If you say too much, you risk letting people off the hook. Security 
demands eternal vigilance, a baked in checklist is very possibly over 
specific to a point in time.

cheers
Bill