On "max. tag nesting depth" in the Kolab-Format spec
Florian v. Samson
florian.samson at bsi.bund.de
Fri Jul 15 11:22:48 CEST 2011
Hi Georg,
Am Freitag, 15. Juli 2011 um 10:37:33 schrieb Georg C. F. Greve:
>
> Just very briefly, I will come back to kolab-format@ with a bit more time
> in the next weeks, but I think some more work needs to be done on showing
> the rationale for a hard-coded nesting depth limit:
>
> On Friday 15 July 2011 10.12:49 Florian v. Samson wrote:
> > In short: Why not?
>
> "640K ought to be enough for anybody."
>
> There is an inherent problem with foreseeing absolute numbers and limits
> in computing, and changing this later if/when we hit that barrier will be
> very expensive for all clients.
While I do understand this aspect and have no issue with raising the limit
to e.g. 127, I do agree with Bernhard that there ought to be one.
I do believe that this specific case has its logical limits in nesting
depth: a XML-construct which may nest indefinitely would be very bad
design, IMO. So this case is much more specific and does have its logical
boundaries which *are* roughly assessable, in contrast to, e.g., the
resource consumption of software in 15 years in terms of "Main memory
space", "Mass storage space", "Computing power", "I/O load" etc.
> > You have not argued against any of the dangers I pointed out:
>
> The threat scenario so far seems based on a malicious user that
> deliberately tries to destroy data.
... or just let the clients of many other Kolab-users go awry (DOS).
And those which stumble would do so until the forged Kolab-object is deleted
on the server.
> This is a scenario that is almost
> impossible to protect against in the end, and nesting bombs are a lot
> more complex as an attack than currently existing attack vectors which we
> realistically cannot prevent.
Really, I cannot think of anything much simpler than to forge and upload a
Kolab-object to a shared IMAP-folder on a Kolab-server.
Can you please provide two or three examples of the "a lot simpler currently
existing attack vectors which we realistically cannot prevent."?
Cheers
Florian
More information about the format
mailing list