[xml] new PARSER_NO_DISK_ACCESS constant

From: "Nuno Lopes" <nunoplopes sapo pt>
To: <xml gnome org>
Cc: veillard redhat com
Subject: [xml] new PARSER_NO_DISK_ACCESS constant
Date: Sun, 8 May 2005 12:48:36 +0100

Hi,

I've filled my request to add a new constant in the bugzilla(http://bugzilla.gnome.org/show_bug.cgi?id=303342), but Daniel Veillardasked me to discuss my request here.

I thought in a PARSER_NO_DISK_ACCESS constant that could do the same asPARSER_NO_NET, that is, disable disk access. This means that I could load afile, but libxml couldn't access the filesystem to check for DTDs, etc...But it could access the internet (if NO_NET wasn't set..).

So, why do I think this constant would be usefull? Well, as you know, libxmlis now used by PHP as its internal xml parser. PHP is mainly designed forweb applications, so it should be secure. My concern is regarding parsingxml entered by the user. How do I know that the user won't add some stuff toinclude local disk files? Off course, some good regex parsing could do thetrick, but as I'm not a xml expert, I'm sure I would left some special casesbehind, thus potential opening the file system to the world.



I hope I made my opinion clearer :)

Thanks,

Nuno

Follow-Ups:
- Re: [xml] new PARSER_NO_DISK_ACCESS constant
  - From: Daniel Veillard
- Re: [xml] new PARSER_NO_DISK_ACCESS constant
  - From: Rob Richards

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]