[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)
Kurt.Zeilenga at Isode.com
Thu Aug 6 16:06:18 UTC 2009
On Aug 6, 2009, at 12:55 AM, Dave Cridland wrote:
> On Wed Aug 5 23:25:45 2009, Kurt Zeilenga wrote:
>> How fitting. I was just reviewing security aspects of this document.
>> I'm particularly concerned that <include/> are to be processed by
>> the importer regardless of where they appear in the input
>> because the input appears to contain content under user control.
>> For instance, consider for instance the import of an
>> export of a offline message:
>>> <message xmlns='jabber:client' from='romeo at montague.net/orchard' to='juliet at capulet.com
>>> /balcony' type='chat'>
>>> <body>Neither, fair saint, if either thee dislike.</body>
>>> <x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/
>>> XInclude'><xi:include href="file:///dev/random"/></x>
>>> <delay xmlns='urn:xmpp:delay' from='capulet.com'
>>> stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
> Oh, that would be evil. It's easier to take advantage of if you use
> Private XML storage,
It should be noted that the user content may not even have been
intended to do harm. He could have just been
storing an XML content that contained an XInclude element.
I think XEP-0227 should not say "At any point in the file" but instead
say that exporter provided
<include/> can only appear as children of the elements defined within
the specification and an importer is
only to process these on import.
More information about the Standards