[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Created: (ODATA-461) Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security
Explicitly disallow certain XML constructs (for CSDL, ATOM) to enhance OData security ------------------------------------------------------------------------------------- Key: ODATA-461 URL: http://tools.oasis-open.org/issues/browse/ODATA-461 Project: OASIS Open Data Protocol (OData) TC Issue Type: Improvement Components: OData ATOM Format , OData CSDL Affects Versions: V4.0_WD01 Reporter: Evan Ireland Considering the XML security vulnerabilities detailed in: http://stackoverflow.com/questions/1906927/xml-vulnerabilities it might be prudent to explicitly disallow certain XML constructs (DOCTYPE, ENTITY definitions and processing instructions) in ATOM, CSDL and any other XML documents used by OData. Specifically, a server receiving an XML document from the client, and a client receiving a document from the server, would be "permitted to ignore" (or preferably, "required to reject"): (1) XML DOCTYPE definitions (2) XML ENTITY definitions (3) XML processing instructions -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]