Home page logo

oss-sec logo oss-sec mailing list archives

Re: Robust XML validation
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 13 Dec 2012 08:19:06 -0800

Validating against trusted schemas/DTDs would not be sufficient in my
opinion. For example, such validations are not effective against the
billion laughs attack (http://en.wikipedia.org/wiki/Billion_laughs).

But... isn't the point that you'd never accept a DTD or schema from an
untrusted source?  That is, never even bother to parse it and
arguably, reject documents from users that contain them.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]