[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-461) Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
[ https://issues.oasis-open.org/browse/ODATA-461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ralf Handl updated ODATA-461:
-----------------------------
Fix Version/s: CN01
(was: V4.0_WD01)
> Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
> -------------------------------------------------------------------------------------
>
> Key: ODATA-461
> URL: https://issues.oasis-open.org/browse/ODATA-461
> Project: OASIS Open Data Protocol (OData) TC
> Issue Type: Improvement
> Components: Securing OData
> Affects Versions: V4.0_WD01
> Environment: [Proposed]
> Reporter: Evan Ireland
> Fix For: CN01
>
>
> Considering the XML security vulnerabilities detailed in:
> http://stackoverflow.com/questions/1906927/xml-vulnerabilities
> it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData.
> Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"):
> (1) XML DOCTYPE definitions
> (2) XML ENTITY definitions
> (3) XML processing instructions
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]