oss-sec mailing list archives
Re: Robust XML validation
From: Timo Warns <warns () pre-sense de>
Date: Thu, 13 Dec 2012 19:07:35 +0100
Am 13.12.2012 17:19, schrieb Tim:
Validating against trusted schemas/DTDs would not be sufficient in my opinion. For example, such validations are not effective against the billion laughs attack (http://en.wikipedia.org/wiki/Billion_laughs).But... isn't the point that you'd never accept a DTD or schema from an untrusted source? That is, never even bother to parse it and arguably, reject documents from users that contain them.
What I wanted to say is that validating an XML document against a trusted schema/DTD may already exhaust resources (e.g,. due to expansions necessary for a validation). Regards, Timo
Current thread:
- Robust XML validation Florian Weimer (Dec 12)
- Re: Robust XML validation Timo Warns (Dec 13)
- Re: Robust XML validation Tim (Dec 13)
- Re: Robust XML validation Timo Warns (Dec 13)
- Re: Robust XML validation Florian Weimer (Dec 14)
- Re: Robust XML validation Tim (Dec 13)
- Re: Robust XML validation Timo Warns (Dec 13)