[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Created: (ODATA-461) Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
-------------------------------------------------------------------------------------
Key: ODATA-461
URL: http://tools.oasis-open.org/issues/browse/ODATA-461
Project: OASIS Open Data Protocol (OData) TC
Issue Type: Improvement
Components: OData ATOM Format , OData CSDL
Affects Versions: V4.0_WD01
Reporter: Evan Ireland
Considering the XML security vulnerabilities detailed in:
http://stackoverflow.com/questions/1906927/xml-vulnerabilities
it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData.
Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"):
(1) XML DOCTYPE definitions
(2) XML ENTITY definitions
(3) XML processing instructions
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]