[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)

Kurt Zeilenga Kurt.Zeilenga at Isode.com
Thu Aug 6 16:06:18 UTC 2009


On Aug 6, 2009, at 12:55 AM, Dave Cridland wrote:

> On Wed Aug  5 23:25:45 2009, Kurt Zeilenga wrote:
>> How fitting.  I was just reviewing security aspects of this document.
>> I'm particularly concerned that <include/> are to be processed by  
>> the  importer regardless of where they appear in the input
>> because the input appears to contain content under user control.   
>> For  instance, consider for instance the import of an
>> export of a offline message:
>>> <message xmlns='jabber:client' from='romeo at montague.net/orchard' to='juliet at capulet.com 
>>>  /balcony' type='chat'>
>>> <body>Neither, fair saint, if either thee dislike.</body>
>>> <x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/  
>>> XInclude'><xi:include href="file:///dev/random"/></x>
>>> <delay xmlns='urn:xmpp:delay' from='capulet.com'   
>>> stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
> Oh, that would be evil. It's easier to take advantage of if you use  
> Private XML storage,

It should be noted that the user content may not even have been  
intended to do harm.  He could have just been
storing an XML content that contained an XInclude element.

I think XEP-0227 should not say "At any point in the file" but instead  
say that exporter provided
<include/> can only appear as children of the elements defined within  
the specification and an importer is
only to process these on import.

-- Kurt



More information about the Standards mailing list