On "max. tag nesting depth" in the Kolab-Format spec
Florian v. Samson
florian.samson at bsi.bund.de
Fri Jul 15 15:47:16 CEST 2011
Jeroen,
Am Freitag, 15. Juli 2011 um 15:11:55 schrieb Jeroen van Meeuwen (Kolab
Systems):
> Florian v. Samson wrote:
> > Am Freitag, 15. Juli 2011 um 11:42:10 schrieb Jeroen van Meeuwen (Kolab
> > Systems):
> > > Furthermore, if the limit in nesting levels is to be implemented to
> > > prevent a potential client denial of service, I would argue you also
> > > require a limit for string lengths, number of sequential tags,
> > > content characters and maximum number of folders for a Kolab account.
> >
> > Oh yes, I fully agree, and suppose Bernhard will do so as well.
>
> You would, seriously, want to specify a hard limit on these potential
> attack vectors through the format?
Yes, we already did so in KEP2, when we detected a potentially unlimited
length string, the sec-frac ("frac-sec"?; never mind) in the datetime, to
be specific.
Any potentially *unlimited* <something> ought to be limited, IMO.
There really are not that many cases.
What is wrong with that approach, in your opinion?
Cheers
Florian
More information about the format
mailing list