On Wed Aug 5 23:25:45 2009, Kurt Zeilenga wrote:
How fitting. I was just reviewing security aspects of this
document.
I'm particularly concerned that <include/> are to be processed by
the importer regardless of where they appear in the input
because the input appears to contain content under user control.
For instance, consider for instance the import of an
export of a offline message:
<message xmlns='jabber:client' from='[email protected]/orchard'
to='[email protected] /balcony' type='chat'>
<body>Neither, fair saint, if either thee dislike.</body>
<x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/
XInclude'><xi:include href="file:///dev/random"/></x>
<delay xmlns='urn:xmpp:delay' from='capulet.com'
stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
Oh, that would be evil. It's easier to take advantage of if you use
Private XML storage, of course - which in turn reminds me that
persistent P*P nodes also need to be included in the spec.
This got me wondering about what other damage could be done by
blinding trusting content not under the administrator's
control is safe... but I have to dive deeper.
I think for the most part, none, but as a general rule of thumb,
XEP-0227 does need to raise this general issue.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
