oss-sec mailing list archives
Re: Robust XML validation
From: Timo Warns <warns () pre-sense de>
Date: Thu, 13 Dec 2012 13:47:15 +0100
On 12.12.2012 18:11, Florian Weimer wrote:
I'm working on guidelines for robust XML parsing and I noticed that there are some denial-of-service issues related to validation which do not seem widely documented (but were apparently known when SGML was specified).
I'm interested in such guidelines. Will they be public?
I wonder if we should care about this in the sense that we should prepare fixes, or if it is sufficient to recommend to validate against trusted schemas/DTDs only. (I've found an implementation which gets right the things I tested so far, so efficient implementations aren't impossible.)
Validating against trusted schemas/DTDs would not be sufficient in my opinion. For example, such validations are not effective against the billion laughs attack (http://en.wikipedia.org/wiki/Billion_laughs). Moreover, some projects deliberately decide against schema validation. For example, when fixing CVE-2012-2665, LibreOffice developers have decided against validating the manifest.xml against a schema or DTD. If I understood correctly, the reason was that omitting validations allows to open documents in a future format on a best-effort basis (as an alternative to annoying the user with a "format not supported" message). Regards, Timo
Current thread:
- Robust XML validation Florian Weimer (Dec 12)
- Re: Robust XML validation Timo Warns (Dec 13)
- Re: Robust XML validation Tim (Dec 13)
- Re: Robust XML validation Timo Warns (Dec 13)
- Re: Robust XML validation Florian Weimer (Dec 14)
- Re: Robust XML validation Tim (Dec 13)
- Re: Robust XML validation Timo Warns (Dec 13)