OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Updated: (ODATA-461) Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security

     [ http://tools.oasis-open.org/issues/browse/ODATA-461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Pizzo updated ODATA-461:
--------------------------------

    Proposal: 
Servers should reject XML documents with  XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.

Clients may reject  XML documents with  XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.


  was:
Servers MUST reject XML documents with  XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.

Clients MAY reject  XML documents with  XML DOCTYPE definitions, XML ENTITY definitions, and XML processing instructions.



> Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
> -------------------------------------------------------------------------------------
>
>                 Key: ODATA-461
>                 URL: http://tools.oasis-open.org/issues/browse/ODATA-461
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Improvement
>          Components: Securing Open Data
>    Affects Versions: V4.0_WD01
>         Environment: [Proposed]
>            Reporter: Evan Ireland
>             Fix For: V4.0_WD01
>
>
> Considering the XML security vulnerabilities detailed in:
>   http://stackoverflow.com/questions/1906927/xml-vulnerabilities
> it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData.
> Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"):
> (1)  XML DOCTYPE definitions
> (2)  XML ENTITY definitions
> (3)  XML processing instructions

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]