> On May 13, 2018, at 11:42 PM, Neil Van Dyke <n...@neilvandyke.org> wrote: > > John, thank you for your past&present work on the SXML stuff. Two comments: > >> enforcing the “file://“ prefix. > > Sounds like the following doesn't matter in this case, but another way to > support both a given URL or given filename is to resolve the given value as a > possibly relative URL, against a base URL that's a "file:" scheme URL for the > current working directory.
I’m not sure what you’re proposing here; the (now current) code simply strips off the “file://“ prefix and uses (IIRC) `file-exists?`. IIUC, that would support relative file urls. Is that what you’re proposing, or is that something different? > >> I’ve made a change that appears to allow the use of “file://“ URIs with >> sxml:document, > > As soon as tools get into accessing resources via URLs from the XML (which I > don't think is what you're doing, but it might be the next step for someone), > it should be documented that there's a need for access control. > > For example, imagine an application in which user-supplied XML specifies a > (purported) schema with a "file:" or "http:" URL to some resource to which > user doesn't have access, but the XML processor does. If the application (or > XML library it uses) attempts to access that URL too trustingly, then the > user maybe be able to cause some privileged side-effect (e.g., manipulate a > database, or control an IoT device), or learn some or all of the content at a > URL (via, e.g., a too-detailed error message), or learn something about the > system (e.g., something more about its location/operator/implementation, if > it makes an outgoing request to a server user can monitor). I’ll be honest: I don’t think that the current system can resolve any http references (in fact, I see code that handles that which is commented out), and I also think that it’s not designed to resolve remote schemas, but I’d love to have a more detailed example, if you have one handy. Honestly, I don’t really think that this package should have anything to do with resolving URIs; I’m tempted to redesign it in such a way that it accepts as an argument a function used to deal with the whole URI side of the world. Units, anyone? John -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.