On Thu, 19 Feb 2004 15:25:45 -0500, "Tim Stoddard" <tstoddar@utstar.com> said:
Tim> I agree with your CDATA scenario and I am open to suggestions for
Tim> something kind of illegal.
You know, I've been thinking for a while that framing tags like
<?EOM?> would be problematic if they needed to be put inside a normal
message. But the obvious question would be, when would that need ever
arise? It wouldn't. Unless you were trying to do something evil.
If parsers are *only* looking for <?EOM?> (or whatever) to distinguish
the end of a frame, this could be easily used to cause a(nother)
denial of service attack. Consider a user with the ability to change
just one string somewhere (say his name for his account). If he
changes his name to John <?EOM?> Doe, what will parsers do? Will any
request to pull the entire configuration from the device now fail
(assuming it was inside a CDATA section and not properly escaped in a
normal XML stream). Won't inserting <?EOM?> anywhere in the
configuration entirely stop a management station from being able to
manage the whole device? (They could manage anything but that
particular component, but half the point of netconf was enable global
management).