Re: IETF XML Guidelines Approved and Updated

[Miles Sabin <miles@xxxxxxxxxxxxxx>]

Hollenbeck, Scott wrote,
> Marshall, Larry, and I recently received word that the IESG has
> approved our XML guidelines Internet-Draft with two needed additions:
>
> (1) "Experience has shown that code that parses network traffic is
> often a "soft target" for blackhats. Accordingly, implementors MUST
> take great care to ensure that their XML handling code is robust with
> respect to malformed XML, buffer overruns, and so on."

Agreed on this, but with one proviso.

The standard slogan "validate all untrusted input" might be misconstrued 
in this case to mean "validate" in the sense of the XML REC. That's 
fine in some circumstances, but in others might do more harm than good.

The issue is that many off the shelf XML parsers will by default attempt 
to retrieve external entities when validating. These will be referred 
to via URIs provided by the untrusted document itself, so an unwary 
receipient XML processor could be fooled into making an unsafe network 
connection in the very act of attempting to protecting itself from 
malicious input.

Some scenarios were reported to BugTraq recently,

http://online.securityfocus.com/archive/1/297714/2002-10-26/2002-11-01/0

and I provided links to related discussion on xml-dev and elsewhere in a 
followup mail,

http://online.securityfocus.com/archive/1/297846/2002-10-26/2002-11-01/0

Cheers,


Miles