On 1/19/22, 10:39 AM, "BEEK Graham" <graham.b...@capgemini.com> wrote:
> This bug was raised 2 and a bit years ago and would seem quite important > at first glance, but there has been > no activity. Would someone be able to confirm whether it is as important as > it sounds and whether a patch is > available or even where the check mentioned is located? It's "important" in the sense that if I felt the code had a future I would have spent time on it, but my time is being spent getting off this code so that I'm no longer exposed to it. (That's much more because of Xerces' moribund state than Santuario's.) There is no patch and no feature releases expected that could add it. There are no other committers left on this code base and once I no longer use it, I will not be maintaining it any further. Whether anyone else chooses to I cannot say. Nothing is stopping them now. As a practical matter, the bug itself is not directly a security bug, it's just a design decision that leaves the code more vulnerable to creative attacks that have not been disclosed or even invented (I hope the latter of course). Processing XML grammars used for protocols non-strictly is not a feature, and JSON approaches make the same mistake because people think flexibility is more important. Postel's Law is not only not a law, it's not even a good idea when it comes to security specs. -- Scott
