On "max. tag nesting depth" in the Kolab-Format spec
Florian v. Samson
florian.samson at bsi.bund.de
Fri Jul 15 14:22:50 CEST 2011
Hi Jeroen,
Am Freitag, 15. Juli 2011 um 11:42:10 schrieb Jeroen van Meeuwen (Kolab
Systems):
> Florian v. Samson wrote:
> > Am Freitag, 15. Juli 2011 um 10:37:33 schrieb Georg C. F. Greve:
> > > Just very briefly, I will come back to kolab-format@ with a bit more
> > > time in the next weeks, but I think some more work needs to be done
> > > on showing the rationale for a hard-coded nesting depth limit:
> > >
> > > On Friday 15 July 2011 10.12:49 Florian v. Samson wrote:
> > > > In short: Why not?
> > >
> > > "640K ought to be enough for anybody."
> > >
> > > There is an inherent problem with foreseeing absolute numbers and
> > > limits in computing, and changing this later if/when we hit that
> > > barrier will be very expensive for all clients.
> >
> > While I do understand this aspect and have no issue with raising the
> > limit to e.g. 127, I do agree with Bernhard that there ought to be one.
>
> I disagree.
>
> Prevention of the parsing of nested XML potentially resulting in denial
> of service is hardly Kolab Format's purvue, but could instead be
> implemented, for example, in a parsing library -by means of limited
> read-ahead- and/or in or through the client.
Sorry, I am unable to follow that logic: "Prevention of <whatever> is hardly
Kolab Format's purview, but could instead be implemented ... in a parsing
library ...".
A specifications (as the Kolab-format spec) primary purpose is always to
provide rules for implementers. Hence, IMO this would be fully in the
purview of the Kolab-format spec.
The question rather was, if this makes sense, both logically and
technically.
> Also, *specifying* the maximum level of nesting does not *prevent* the
> maximum level of nesting from being exceeded.
Well this is nitpicking on words, IMO!
Yes, specifying that such Kolab-objects MUST be neither generated nor parsed
(beyond a certain nesting level) does not prevent a malicious user to
hand-craft such an Kolab-object and upload it.
But it would be guaranteed to have no ill effect on on any conformant
client.
> As such, clients would have to 1) read, 2) count
... while reading / parsing
> , 3) hit the limit, 4) ignore further nesting levels,
Yup, that is it.
> but this is an absolutely flawed implementation of trying to implement
> DoS prevention, and very costly to change once the limit has to be
> raised. Insert here a remark on road speed limits, and IPv4 -> IPv6.
I already pointed out that this not alike the "640K" barrier.
And even if you still believe it does: that "barrier" was overcome soon, so
where/what is the proof in that story?
But your examples do actually fit well:
1. Do you seriously believe that establishing a world wide rule that all
road speed limits MUST be set to less than 500 mph would ever do any harm?
(BTW, lake Bonneville is not an official road! ;-) )
2. Would you also support saying it is too strict to limit IP-addresses to
max. 256 Bytes forever, even though one can easily calculate that with this
limit imposed one could assign vast numbers of IP-addresses to every atom
in the solar system?
If we ever reach those limits (and this is very unlikely due to logical or
physical barriers) I suppose Kolab will be log outdated or vastly
overhauled, as it happened with the PC ("640K" barrier) as well.
> Furthermore, if the limit in nesting levels is to be implemented to
> prevent a potential client denial of service, I would argue you also
> require a limit for string lengths, number of sequential tags, content
> characters and maximum number of folders for a Kolab account.
Oh yes, I fully agree, and suppose Bernhard will do so as well.
Cheers
Florian
More information about the format
mailing list