Mikael Olsson wrote: > > I also don't see what this potential bug in the parser has to do with > > computer security. > > A-hem. > > "Since we should be able to rely upon everyone sending us > well-formed and validated data that conform to all standards, > it doesn't matter if the software that we use to receive it > is crappy. No one would willingly do us any harm!" > > (I'm sorry about the harsh tone, but, to me, that's the sum total > of what you're saying?) Not really. I'm not excusing the bug. They should fix it. I'm just saying that in my opinion, being able to send a browser some data that makes it hang doesn't necessarily constitute a denial of services. You can still close out of the browser and probably not lose much available memory, I assume, and no other services are affected other than the one browser process. You can do the same thing to Netscape Navigator (funny how *their* bugs are less offensive to people) by making a valid HTML document (of course, "valid HTML" still has a lot of leeway) containing nested tables or lists, about 15 levels deep. I have an example of this at: http://www.skew.org/xml/tree_viewers/sample_output.html (not a plug; just don't expect the page to load in most versions of Navigator) > I do agree that this particular bug won't "compromise" your > system per se, but what about continually mailing large XML > to someone using Outlook or some other mail software that > uses MSIE to display HTML/XML? Good point. I didn't think of that. MSIE's rendering engine is available for use by other applications, so they'd potentially be affected as well. Too bad this wasn't mentioned in the original post. Of course, along those same lines, continually mailing large files can cause many problems when disks start filling up.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:17 PDT