[xml] new PARSER_NO_DISK_ACCESS constant
- From: "Nuno Lopes" <nunoplopes sapo pt>
- To: <xml gnome org>
- Cc: veillard redhat com
- Subject: [xml] new PARSER_NO_DISK_ACCESS constant
- Date: Sun, 8 May 2005 12:48:36 +0100
Hi,
I've filled my request to add a new constant in the bugzilla
(http://bugzilla.gnome.org/show_bug.cgi?id=303342), but Daniel Veillard
asked me to discuss my request here.
I thought in a PARSER_NO_DISK_ACCESS constant that could do the same as
PARSER_NO_NET, that is, disable disk access. This means that I could load a
file, but libxml couldn't access the filesystem to check for DTDs, etc...
But it could access the internet (if NO_NET wasn't set..).
So, why do I think this constant would be usefull? Well, as you know, libxml
is now used by PHP as its internal xml parser. PHP is mainly designed for
web applications, so it should be secure. My concern is regarding parsing
xml entered by the user. How do I know that the user won't add some stuff to
include local disk files? Off course, some good regex parsing could do the
trick, but as I'm not a xml expert, I'm sure I would left some special cases
behind, thus potential opening the file system to the world.
I hope I made my opinion clearer :)
Thanks,
Nuno
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]