Andrew Lentvorski wrote:
Gabriel Sechan wrote:
As a fun exercise, inject a NUL character into *anything* going
into C. Oops. Security hole.
Not at all. C code can handle NULLs just fine. However, if it
expects text data it may truncate your string to the first NULL. But
there is no security hole here. And again, nothing to do with XML.
Or, better yet, the number of programs that still have hard-coded
string and buffer lengths. Oops. Stack smash.
Bigger problem. But still nothing to do with XML.
Indirectly, it does. Since XML uses the Unicode string of your
programming language, you normally wind up using strings that don't
suffer from the previous problems.
Actually, a lot of them XML solutions use UTF-8 (sometimes exclusively),
and therefore still suffer when confronted with embedded null bytes.
Even the ones that don't use UTF-8 are often still victimized by
embedded \u0000 characters.
And there's damn good reasons for those binary formats- speed of
parsing, storage space, etc.
Rarely.
A "custom format" is almost *always* worse than one of the standards.
XML for text or mixed, ASN.1 for on the wire, and one of the
government standards for *BIG* amounts of mathematical data.
In what way better? Certainly BER has been criticised pretty widely for
it's shortcomings, and CER, DER, and PER are better in somewhat marginal
ways, and of course if you use XER you get all the shortcomings of XML.....
Instead of having to waste time reverse engineering the format, XML
puts the format directly in front of the humans. Yes, normally you
use the machine; however, when you *need* to look at it by eye, you
*can*.
I can read binary or non-XML text quite well. Just give me the format.
Uh-uh-uh. The vendor won't give you the format. Think Microsoft and
Word. It's not the XML portions of the Microsoft's new format that
everybody is trying to get at.
Actually, people are very much trying to get at the XML portions, and
are finding it's just as difficult to make sense of as the binary formats.
--Chris
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
