On 07/15/13 16:53, Chris Angelico wrote: > I haven't looked into the details, but there was one among a list of > exploits that was being discussed a few months ago; it involved XML > schemas, I think, and quite a few generic XML parsers could be tricked > into fetching arbitrary documents. Whether this could be used for > anything more serious than a document-viewed receipt or a denial of > service (via latency) I don't know, but if nothing else, it's a vector > that JSON simply doesn't have. ChrisA
I must have missed that exploit report, can you provide a link? Parsing arbitrary xml documents and parsing xml schema documents and applying xml schema semantics to these documents are two very different operations. Xml schemas are not "tricked" into fetching arbitrary documents, xs:include and xs:import fetch external documents, it's a well-known feature. If you don't want this, you should ship all of the schema documents together and generate the schemas in a way to not include any external references. So I'm surprised this was presented as a security exploit. Json schemas also have similar functionality: http://json-schema.org/latest/json-schema-core.html#anchor30 """ if canonical dereferencing is used, the implementation will dereference this URI, and fetch the content at this URI; """ So I don't understand how you're so sure of yourself, but to me, it seems like Json schemas have the same attack vectors. Best regards, Burak -- http://mail.python.org/mailman/listinfo/python-list
