OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Updated: (OFFICE-1225) Public Comment: ODFsecurity hazard? (ODF all versions)

     [ http://tools.oasis-open.org/issues/browse/OFFICE-1225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Weir  updated OFFICE-1225:

    Fix Version/s: ODF-Next
                       (was: ODF 1.2)
         Priority: Minor  (was: Blocker)

Certainly the naive dereferencing of untrusted external entity references can cause problems.  So is the naive execution of untrusted scripts and the naive activation of untrusted OLE embeddings or the naive display of untrusted WMF files.  The question to ask is whether a conforming ODF Consumer is required to do these actions.  The answer is No.  ODF 1.2 specifically states that Consumers are non-validating XML processors.  This means that they are only required to process the document entity.  The are not required to process the external entity, per . [XML] 5.2.

However, this is a reasonable item to cover as part of an "ODF Security Guidelines" document, along the model of what we did with the Accesibility Guidelines.   It should comprehend the range of concerns from data security (encryption, digital signatures) as well best practices with regard to embedded content, etc.

Moving to ODF-Next

> Public Comment: ODF security hazard? (ODF all versions)
> -------------------------------------------------------
>                 Key: OFFICE-1225
>                 URL: http://tools.oasis-open.org/issues/browse/OFFICE-1225
>             Project: OASIS Open Document Format for Office Applications (OpenDocument) TC
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: ODF 1.0, ODF 1.0 (second edition), ODF 1.1, ODF 1.2
>            Reporter: Robert Weir 
>            Assignee: Robert Weir 
>            Priority: Minor
>             Fix For: ODF-Next
> Copied from office-comment list
> Original author: "Alex Brown" <alexb@griffinbrown.co.uk> 
> Original date: 21 Feb 2009 12:35:07 -0000
> Original URL: http://lists.oasis-open.org/archives/office-comment/200902/msg00026.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]