[xml] new PARSER_NO_DISK_ACCESS constant


I've filled my request to add a new constant in the bugzilla (http://bugzilla.gnome.org/show_bug.cgi?id=303342), but Daniel Veillard asked me to discuss my request here.

I thought in a PARSER_NO_DISK_ACCESS constant that could do the same as PARSER_NO_NET, that is, disable disk access. This means that I could load a file, but libxml couldn't access the filesystem to check for DTDs, etc... But it could access the internet (if NO_NET wasn't set..).

So, why do I think this constant would be usefull? Well, as you know, libxml is now used by PHP as its internal xml parser. PHP is mainly designed for web applications, so it should be secure. My concern is regarding parsing xml entered by the user. How do I know that the user won't add some stuff to include local disk files? Off course, some good regex parsing could do the trick, but as I'm not a xml expert, I'm sure I would left some special cases behind, thus potential opening the file system to the world.

I hope I made my opinion clearer :)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]