Re: Issue 5.1) SSH End of message directive

[Wes Hardaker <wjhns1@hardakers.net>]

>>>>> On Thu, 19 Feb 2004 15:25:45 -0500, "Tim Stoddard" <tstoddar@utstar.com> said:

Tim> I agree with your CDATA scenario and I am open to suggestions for
Tim> something kind of illegal.

You know, I've been thinking for a while that framing tags like
<?EOM?> would be problematic if they needed to be put inside a normal
message.  But the obvious question would be, when would that need ever
arise?  It wouldn't.  Unless you were trying to do something evil.

If parsers are *only* looking for <?EOM?> (or whatever) to distinguish
the end of a frame, this could be easily used to cause a(nother)
denial of service attack.  Consider a user with the ability to change
just one string somewhere (say his name for his account).  If he
changes his name to John <?EOM?> Doe, what will parsers do?  Will any
request to pull the entire configuration from the device now fail
(assuming it was inside a CDATA section and not properly escaped in a
normal XML stream).  Won't inserting <?EOM?> anywhere in the
configuration entirely stop a management station from being able to
manage the whole device?  (They could manage anything but that
particular component, but half the point of netconf was enable global
management).

-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>