On Aug 6, 2009, at 12:55 AM, Dave Cridland wrote:
On Wed Aug 5 23:25:45 2009, Kurt Zeilenga wrote:
How fitting. I was just reviewing security aspects of this document.
I'm particularly concerned that <include/> are to be processed by
the importer regardless of where they appear in the input
because the input appears to contain content under user control.
For instance, consider for instance the import of an
export of a offline message:
<message xmlns='jabber:client' from='[email protected]/orchard' to='[email protected]
/balcony' type='chat'>
<body>Neither, fair saint, if either thee dislike.</body>
<x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/
XInclude'><xi:include href="file:///dev/random"/></x>
<delay xmlns='urn:xmpp:delay' from='capulet.com'
stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
Oh, that would be evil. It's easier to take advantage of if you use
Private XML storage,
It should be noted that the user content may not even have been
intended to do harm. He could have just been
storing an XML content that contained an XInclude element.
I think XEP-0227 should not say "At any point in the file" but instead
say that exporter provided
<include/> can only appear as children of the elements defined within
the specification and an importer is
only to process these on import.
-- Kurt
