#445 Harmful XML_ParserCreateNS suggestion


The documentation for XML_ParserCreateNS says for the sep parameter "you should pick a character for sep that can't be part of a legal URI".

This is a very bad suggestion, for example, the test suite uses the space character and Google code search suggests other people are using among other things "|", "!", "#", "&", ":", "/", and tab.

It is true that legal URIs cannot contain some of these characters such as space and tab, but xmlns attributes certainly can and Expat does not filter them out. Poorly written name expansion code is so easily vulnerable to attack.

Instead, the documentation should strongly recommend against using any of these characters and recommend to use a character that cannot occur in XML_Char arrays. In particular, -1 and WCHAR_MAX cannot occur because UTF-8 prohibits 0xFF and XML prohibits U+FFFF. Another suggestion would be 0x01 if Expat will never support XML 1.1.


  • Karl Waclawek

    Karl Waclawek - 2007-06-24

    Logged In: YES
    Originator: NO

    Although I am not quite sure how one would create an attack based on this weakness - not being a hacker myself, I do agree that the docs should be worded stronger. I think this issue has come up before, e.g. in bug # 918730. I committed a fix in reference.html rev. 1.74.

  • Karl Waclawek

    Karl Waclawek - 2007-06-24
    • status: open --> open-fixed
  • Karl Waclawek

    Karl Waclawek - 2009-01-17
    • status: open-fixed --> closed-fixed
  • Karl Waclawek

    Karl Waclawek - 2009-01-17

    No complaints about fix.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks