--- Robert Sayre <[EMAIL PROTECTED]> wrote:
>
> > Here is a scenario:
> >
> > Malicious user X produces an Atom feed served with
> an
> > X-Atom-Error header.
> >
> > Malicious user X could change their X-Atom-Error
> header to point
> > to someone elses URI (it could be /their/ Error
> URI or it could
> > be a completely different service). Either way
> Malicious user
> > X then intentionally forces their Atom feed to be
> invalid, thus
> > causing all the subscribers to X Atom's feed to
> hit that
> > unrelated service.
> >
> > Am I understanding the scenario correctly?
> >
>
> Yes, and the effect of hitting that unrelated
> service is unknowable. The
> operation must be idempotent to be implemented
> responsibly.
I'll note that there isn't much difference between
this scenario and Malicious user X just issuing HTTP
redirects to the unrelated service thus bypassing
Atom-Error header which is less likely to be supported
than HTTP redirects anyway.
=====
THINGS TO DO IF I BECOME AN EVIL OVERLORD #222
I reserve the right to execute any henchmen who appear to be a little too intelligent,
powerful, or devious. However if I do so, I will not at some subsequent point shout
"Why am I surrounded by these incompetent fools?!"
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
