[Expat-bugs] [ expat-Bugs-1742315 ] Harmful XML_ParserCreateNS suggestion

SourceForge.net noreply at sourceforge.net
Sat Jan 17 17:03:40 CET 2009 

Bugs item #1742315, was opened at 2007-06-23 23:54
Message generated for change (Comment added) made by kwaclaw
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1742315&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Documentation
Group: None
>Status: Closed
Resolution: Fixed
Priority: 5
Private: No
Submitted By: Björn Höhrmann (hoehrmann)
Assigned to: Fred L. Drake, Jr. (fdrake)
Summary: Harmful XML_ParserCreateNS suggestion

Initial Comment:
The documentation for XML_ParserCreateNS says for the sep parameter "you should pick a character for sep that can't be part of a legal URI".

This is a very bad suggestion, for example, the test suite uses the space character and Google code search suggests other people are using among other things "|", "!", "#", "&", ":", "/", and tab.

It is true that legal URIs cannot contain some of these characters such as space and tab, but xmlns attributes certainly can and Expat does not filter them out. Poorly written name expansion code is so easily vulnerable to attack.

Instead, the documentation should strongly recommend against using any of these characters and recommend to use a character that cannot occur in XML_Char arrays. In particular, -1 and WCHAR_MAX cannot occur because UTF-8 prohibits 0xFF and XML prohibits U+FFFF. Another suggestion would be 0x01 if Expat will never support XML 1.1.

----------------------------------------------------------------------

>Comment By: Karl Waclawek (kwaclaw)
Date: 2009-01-17 11:03

Message:
No complaints about fix.

----------------------------------------------------------------------

Comment By: Karl Waclawek (kwaclaw)
Date: 2007-06-24 13:22

Message:
Logged In: YES 
user_id=290026
Originator: NO

Although I am not quite sure how one would create an attack based on this
weakness - not being a hacker myself, I do agree that the docs should be
worded stronger. I think this issue has come up before, e.g. in bug #
918730. I committed a fix in reference.html rev. 1.74.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1742315&group_id=10127

More information about the Expat-bugs mailing list