Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Robust XML validation
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 13 Dec 2012 08:19:06 -0800


Validating against trusted schemas/DTDs would not be sufficient in my
opinion. For example, such validations are not effective against the
billion laughs attack (http://en.wikipedia.org/wiki/Billion_laughs).

But... isn't the point that you'd never accept a DTD or schema from an
untrusted source?  That is, never even bother to parse it and
arguably, reject documents from users that contain them.

tim


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]