Re: Hard-coded xmloutputversion in nmap.dtd--remove it?

["Michael Pattrick" <mpattrick () rhinovirus org>]

On Fri, Aug 15, 2008 at 12:23 PM, David Fifield <david () bamsoftware com> wrote:
> Finally, what does every use xmloutputversion for? I notice that the
> parser in Zenmap never uses it. Is validity (in an XML sense) important
> to your application? Zenmap's USR files are remarkably invalid yet they
> get the point across. It could be that xmloutputversion isn't worth much
> fuss.

I'm for keeping it but only increasing it conservatively. Most
additions to the XML at this point will be adding new elements and
attributes, something that is backwards compatible with old parsers -
that is to say, a well written parser should have no problem skipping
over unknown elements and attributes. A well written parser will also
support the permanent removal of implied attributes and elements for
obvious reasons. So for these types of changes a version increase
would not be needed.

However, The removal or modification of a required element/attribute
would warrant a version change. For example, lets say a parser uses
the 'scaninfo/services' port list  to calculate what ports aren't
open; if this attribute is removed then it obviously wont function
properly. So the increase in version number will tell a parser that it
cant parse the file like it normally does.

In this case, parsers should validate the version number and if it
isn't correct they should ether give an error or be prepared to not
read all of the data that they would normally be able to extract.

Cheers,
Michael

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org