search

abdelazer / openpub

Automatically exported from code.google.com/p/openpub
0 stars 0 forks source link

Draft section describing security considerations #21

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Develop a set of references for security considerations around OPDS Catalogs. 
Unless we have a deep understanding, I think this should only be a list of 
references to other specs.

Please note that any discussion should happen on the mailing list rather
than the comments of the issue tracker.

Mailing list threads should reference the number of any open Issue in the
Subject line " (#ISSUE)".

Original issue reported on code.google.com by abdela...@gmail.com on 10 Mar 2010 at 4:36

GoogleCodeExporter commented 9 years ago

Original comment by ed.summers on 10 Mar 2010 at 5:55

GoogleCodeExporter commented 9 years ago

Original comment by liza31337@gmail.com on 3 May 2010 at 3:33

GoogleCodeExporter commented 9 years ago 
Security Considerations

OPDS Catalogs are Atom documents delivered over HTTP and thus subject to the 
security considerations found 
in Section 15 of [RFC2616] and Section 5 of [RFC4287].

Linked Resources

OPDS Catalogs can contain XML External Entities as defined in Section 4.2.2 of 
[REC-xml]. OPDS Catalog 
implementations are not required to load external entities. External entities 
are subject to the same security 
concerns as any network operation and can alter the semantics of an OPDS 
Catalog Document. The same 
issues exist for Resources linked to by Catalog elements such as atom:link and 
atom:content.

URIs and IRIs

OPDS Catalog implementations handle URIs and IRIs. See Section 7 of [RFC3986] 
and Section 8 of [RFC3987] for 
security considerations related to their handling and use.

Code Injection and Cross Site Scripting

OPDS Catalogs can contain a broad range of content types including code that 
might be executable in some 
contexts. Malicious publishers could attempt to attack servers or other clients 
by injecting code into OPDS 
Catalog Documents or OPDS Catalog Entry Documents or Media Resources.

Server implementations are strongly encouraged to verify that external content 
is safe prior to aggregating, 
processing, or publishing it. In the case of HTML, experience indicates that 
verification based on a white list of 
acceptable content is more effective than a black list of forbidden content.

Additional information about XHTML and HTML content safety can be found in 
Section 8.1 of [RFC4287].

Original comment by abdela...@gmail.com on 4 May 2010 at 5:05

GoogleCodeExporter commented 9 years ago

Original comment by abdela...@gmail.com on 25 May 2010 at 5:44