OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (ODATA-461) Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security

    [ http://tools.oasis-open.org/issues/browse/ODATA-461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=36394#action_36394 ] 

Evan Ireland commented on ODATA-461:

Putting it all together...

Recommendations for XML security with OData server implementations

The following recommendations apply to the parsing of XML documents (e.g. ATOM requests)
received by an OData service.

1. Disallow XML processing instructions.

   a. This prevents potential future abuse. Consider the "php" example at:
      It is easy to imagine that if an OData server supported such processing
      instructions in its XML parser, it could be a target for abuse.
   b. Note that the XML Declaration at the beginning of an XML document (shown below)
      is not a processing instruction, however its similar syntax has often resulted 
      in it being referred to as a processing instruction.

      <?xml version="1.0" encoding="UTF-8" ?>
2. Disallow DOCTYPE declarations.

   a. This has the effect of disallowing ENTITY declarations, which in turn prevents
      XML Bombs and External Entity Attacks, as described at:


3. Disallow xsi:schemaLocation and xsi:noNamespaceSchemaLocation.

   a. Rationale is that they might be used by a client to initiate denial of
      service attacks (by specifying a "rogue" XSD location). See discussion at:

> Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
> -------------------------------------------------------------------------------------
>                 Key: ODATA-461
>                 URL: http://tools.oasis-open.org/issues/browse/ODATA-461
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Improvement
>          Components: Securing Open Data
>    Affects Versions: V4.0_WD01
>         Environment: [Proposed]
>            Reporter: Evan Ireland
>             Fix For: V4.0_WD01
> Considering the XML security vulnerabilities detailed in:
>   http://stackoverflow.com/questions/1906927/xml-vulnerabilities
> it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData.
> Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"):
> (1)  XML DOCTYPE definitions
> (2)  XML ENTITY definitions
> (3)  XML processing instructions

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]