OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [office-comment] ODF security hazard? (ODF all versions)

Hi Alex,

On 21.02.09 16:15, Alex Brown wrote:
> Rob hi
> 
>> But I do think this would be good to collect a set of security 
>> considerations into an Appendix, as we have with Bidi techniques and 
>> Accessibility guidelines.  If there is interest we could also explore 
>> a "Secure ODF" profile that would forbid things like OLE embeddings, 
>> scripts, etc.
> 
> That sounds like a sensible approach.
> 
> Since the DTD feature is not needed though, it is one attack vector
> which could be easily blocked by forbidding DTDs ...

One could do so, but I'm not convinced that this is reasonable. With the 
same argument we may have to forbid that an application tries to resolve 
namespace URIs to check whether they can locate XSD schemas there, or 
would have to forbid them to evaluate any xsi:schemaLocation attributes 
and so and and so on.

Having that said: The issue is a general XML issue, and not something 
specific to ODF. If we want to add security consideration to ODF, then I 
would just say that ODF implementors should follow the security 
consideration that do exist for the standards it uses (if there are 
such), but I would not list them itself within the ODF specification.

Michael


> 
> - Alex.
> 
> --
> This publicly archived list offers a means to provide input to the
> OASIS Open Document Format for Office Applications (OpenDocument) TC.
> 
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
> 
> Subscribe: office-comment-subscribe@lists.oasis-open.org
> Unsubscribe: office-comment-unsubscribe@lists.oasis-open.org
> List help: office-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/office-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=office
> 


-- 
Michael Brauer, Technical Architect Software Engineering
StarOffice/OpenOffice.org
Sun Microsystems GmbH             Nagelsweg 55
D-20097 Hamburg, Germany          michael.brauer@sun.com
http://sun.com/staroffice         +49 40 23646 500
http://blogs.sun.com/GullFOSS

Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1,
	   D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer
Vorsitzender des Aufsichtsrates: Martin Haering

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]