[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security: Atom injection attacks

To: Elliotte Harold <elharo@xxxxxxxxxxxxxxx>
Subject: Re: Security: Atom injection attacks
From: James M Snell <jasnell@xxxxxxxxx>
Date: Mon, 12 Mar 2007 11:29:51 -0700
Cc: Bill de hOra <bill@xxxxxxxxxx>, Atom-Protocol Protocol <atom-protocol@xxxxxxx>
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=sllrUGB3zWsGfjPVM2i74pqS/9R059KQlCzmjgTmU6rIyD5/aaZvYp6pvy2MQua8oillK1BI0gnMQy4g12Lgrg5YmiVtZH42E+igo4t1gC+SChoSBEBP7jJkpv2K5xGCuAiASAEbm63IifqDAHLdAPeo33fQlIhj+zGvB8xxhRo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=CQ8JGO9F+oJLhqJJqt98pkJtZx9YoG+YPZNXYwACXLOvbQ9FSC/FlfRkne/HMIM8Tf0WGBK2m7o1WbpXs0ArlmMwmKIW95XsAzMDVemxYP93u6APZhTYueh2irpwSRldtbeRo9gzGmUCftul0fgocySisRHTpbZO8Ye4NDP+fEw=
In-reply-to: <45F596EB.70909@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <45F2E28E.6020603@xxxxxxxxxxxxxxx> <45F2E4A9.1010200@xxxxxxxxx> <45F2E8B8.8030708@xxxxxxxxxxxxxxx> <45F55695.7080204@xxxxxxxxxxxxxxx> <51891.194.221.74.7.1173707057.squirrel@xxxxxxxxxxxxxxxxxxxx> <45F56149.9080709@xxxxxxxxxxxxxxx> <45F57BE9.1040300@xxxxxxxxxx> <45F596EB.70909@xxxxxxxxxxxxxxx>
Sender: owner-atom-protocol@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.10 (X11/20070306)

It puts the burden on applications of APP to communicate what is
required.  APP itself is a very generic protocol.  Thus far in just the
range of stuff we're doing, we've seen uses of it for editing weblogs,
managing calendars, discussion forums, wikis, document libraries,
podcasts, bookmark collections, contacts, xml document repositories,
collection management, user management, etc.  The only thing that has
remained constant across all of the various types of applications is
that every application tends to make different assumptions about what is
required and what is not; about what of the many options the Atom syntax
allows will be supported and which ones will not.  I gave up a long time
ago trying to make the APP spec prescriptive for all the various ways it
could be used.  For now, we need to allow specific implementations
define their own specific behaviors and requirements and allow clients
to adapt to those as necessary.  In the future, if best practices
emerge, the folks who care the most can get together and put together a
BCP for APP.  Until then, let's do the minimum we need to get functional
implementations out there and then get out of the way.

- James

Elliotte Harold wrote:
> [snip]
> This seems to be the attitude of the spec. Given how little people are
> willing to promise about server behavior, I don't see how a generic
> client can assume very much at all.
>

References:
- Security: Atom injection attacks
  - From: Elliotte Harold
- Re: Security: Atom injection attacks
  - From: James M Snell
- Re: Security: Atom injection attacks
  - From: Elliotte Harold
- Re: Security: Atom injection attacks
  - From: Elliotte Harold
- Re: Security: Atom injection attacks
  - From: Sylvain Hellegouarch
- Re: Security: Atom injection attacks
  - From: Elliotte Harold
- Re: Security: Atom injection attacks
  - From: Bill de hOra
- Re: Security: Atom injection attacks
  - From: Elliotte Harold

Prev by Date: Re: 8.3.4: comma separated?! app:accept
Next by Date: Re: Listing Collections & Forbidden Assumptions
Previous by thread: Re: Security: Atom injection attacks
Next by thread: Re: Security: Atom injection attacks
Index(es):
- Date
- Thread